A new variant of MgBot malware was discovered earlier this month, that is being used by Chinese Threat actors to exploit users in Hongkong and India. First discovered on 2nd July the malware masquerades itself as an archive document from the Indian government. It carries malicious templates that can load and infect your device with the Cobalt Strike variant.
Post this, the malware drops, injects, and executes MgBot by exploiting the Windows Application Management services. As per the research reports of MalwareBytes, it was also found delivering the same payload in the form of an archive file containing a statement from Boris Johnson, the British PM about HongKong.
A security researcher at Malwarebytes also stated that a Chinese state-sponsored actor is behind all this and represents the ongoing tension of China with India and Hongkong.
How Does the Attack Take Place?
- Firstly, a variant of Cobalt Strike is spread via phishing emails and aims at exploiting the dynamic data exchange protocol for executing the infected codes.
- Secondly, the final payload is injected which continues to use specific codes and templates to inject the malware.
- Thirdly, MgBot fetches and executes the final payload.
- The MgBot malware is dropped in the form of DLL and gets executed with the “net start AppMgmt” command.
- Apart from this, a cmd file is also created, which executes the payload and also gets rid of any traces of the cmd and loader file from the victim’s device.
It is also found that the malware contains RAT Trojan capabilities and uses it for taking screenshots, logging keystrokes, creating mutexes, manipulating processes along with various files and folders, and much more. It is also discovered that the criminals are deploying multiple IP addresses to host C&C servers and payloads. Most of the servers used are loaded in Hongkong.
Security researchers also believe that MgBot is executed by Chinese threat actors who also carried Rancor, APT40, and KeyBoy attacks.
How to Protect Yourself From New Mgbot Malware Variant?
Security procedures are a must to fight malicious malware like MgBot.
- Regularly update your device programs, equipment, and applications to patch all security loopholes and voids.
- Use a powerful antivirus program with enhanced in-built scanning capabilities.
- Avoid accessing email attachments and links whose origin is not known to you.
- Use an Ad-blocker tool to block annoying and infected ads.
- Only use Google Play store and other official websites for downloading various applications and programs.
- Get rid of old and obsolete applications that are no longer in use.
- Take regular backups to avoid any data losses.
Ward-off malicious malware like MgBot by following basic hygiene rules.