China's 'Evasive Panda' APT Spies on Taiwan Targets Across Platforms

A Chinese advanced persistent threat (APT) is upgrading its espionage capabilities by developing and iterating on malware across operating systems (OSes).

Evasive Panda — which Symantec tracks as "Daggerfly" in a new blog post — has been known to target telecommunications companies, government agencies, nongovernmental organizations (NGOs), universities, and private individuals of interest to the Chinese state. Recently it has carried out a handful of attacks against similar targets, mostly located in Taiwan, plus one American NGO based in China. 

Though its victims are predictable, the platforms it targets for its chicanery are varied. Besides Windows and macOS, Symantec found evidence of Evasive Panda Trojanizing Android Package Kits (APKs), developing SMS and DNS request interception tools, and developing malware families around Linux and even Solaris OS.

"Their ability to develop malware for multiple different platforms is noteworthy," says Dick O'Brien, principal intelligence analyst for the Symantec threat hunter team. "It's not uncommon to see APT groups targeting two or three different platforms, but this group has the ambition and the skills to target every major platform, including some pretty niche ones like Solaris. That’s not something you see very often."

Daggerfly's Diverse Devices

Evasive Panda is at least a decade old. To keep things fresh after that long a time, it develops and builds on a variety of custom malware tools designed for different operating systems. Underpinning them all is a shared library or framework.

Its best known tool incorporating this shared code is the modular MgBot malware. MgBot has been used recently in attacks against the China-based American NGO, an African telecoms operator in 2023, and watering hole attacks late last year, where it worked alongside a newer tool, "Nightdoor," tracked by Symantec as "Trojan.Suzafk." 

Nightdoor is loaded onto newly infected systems alongside the legitimate DAEMON Tools Lite program for creating and mounting virtual disk drives, and a dynamic link library (DLL) that establishes persistence via scheduled tasks. The final payload — a multistage backdoor — uses TCP or OneDrive for command-and-control (C2), and comes embedded with the open source (OSS) tool "al-khaser." Al-khaser markets itself as a proof-of-concept (PoC) application "that aims to stress your anti-malware system" by incorporating various anti-analysis tricks.

When Evasive Panda wants to attack a Mac, it uses Macma, a backdoor celebrating a half-decade in the wild this year. Like its Windows cousins, Macma has been used in various watering hole attacks. In 2021, for instance, it was deployed against media and protestors fighting for an independent Hong Kong. It can fingerprint devices, upload and download files from them, capture keystrokes, screenshots, and audio, and more.

Recently, on top of developing new backdoors, Evasive Panda has updated Macma in a variety of mostly minor ways. That, O'Brien says, "shows evidence of ongoing, iterative development. While some of these tweaks may help in avoiding detection, by subtly altering the malware's fingerprint, the main thing this tells us is that they have that capacity for continuous development, where they can continually roll out new versions, making small improvements and fixing bugs."