Overview
A sophisticated cyber espionage campaign has been attributed to a China-linked advanced persistent threat (APT) group. This campaign involved poisoning Domain Name System (DNS) requests to deliver its signature MgBot backdoor in targeted attacks against victims in Türkiye, China, and India.
Timeline
The activity was observed between November 2022 and November 2024 by Kaspersky Lab.
Targeting
The attacks were specifically aimed at victims in three countries, highlighting the group’s strategic targeting based on geopolitical interests.
Threat Analysis
The campaign employed DNS poisoning as a means to evade detection and deliver malware. This technique involves manipulating DNS records to redirect traffic to malicious servers hosting the MgBot backdoor.
MgBot Backdoor
MgBot is a type of malware that can perform various functions, including data exfiltration, keystroke logging, and remote command execution. Its delivery through DNS poisoning makes it particularly insidious as it bypasses traditional firewall defenses.
Implications
This campaign underscores the increasing sophistication of cyber threats originating from China. It also highlights the importance of robust DNS security measures to protect against such evasive attacks.
Articles connexes
