Evasive Panda APT poisons DNS requests to deliver MgBot
Overview
Kaspersky's GReAT team has released findings on a sophisticated attack by a group known as Evasive Panda APT. This group employs a technique that poisons DNS requests to deploy a malicious implant called MgBot. The attack chain includes the use of shellcode that is encrypted with DPAPI and RC5, making it harder to detect. This method poses a significant risk as it can compromise systems and networks by redirecting legitimate traffic to malicious sites. Organizations need to be aware of these tactics to prevent potential breaches and protect their infrastructure.
Key Takeaways
- Active Exploitation: This vulnerability is being actively exploited by attackers. Immediate action is recommended.
- Action Required: Organizations should monitor DNS requests for anomalies and implement security measures to detect and block malicious traffic.
- Timeline: Newly disclosed
Original Article Summary
Kaspersky GReAT experts analyze the Evasive Panda APT's infection chain, including shellcode encrypted with DPAPI and RC5, as well as the MgBot implant.
Impact
Not specified
Exploitation Status
This vulnerability is confirmed to be actively exploited by attackers in real-world attacks. Organizations should prioritize patching or implementing workarounds immediately.
Timeline
Newly disclosed
Remediation
Organizations should monitor DNS requests for anomalies and implement security measures to detect and block malicious traffic. Regular updates to security software and employee training on phishing and social engineering tactics are also recommended.
Additional Information
This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.
Related Topics: This incident relates to APT, Malware, Kaspersky.