Security Experts:

Connect with us

Hi, what are you looking for?



Chinese Threat Actor Uses New MgBot Variant in Attacks on India, Hong Kong

A Chinese threat actor was observed earlier this month targeting victims in India and Hong Kong with a new variant of the MgBot malware, Malwarebytes reports.

A Chinese threat actor was observed earlier this month targeting victims in India and Hong Kong with a new variant of the MgBot malware, Malwarebytes reports.

The attack was initially observed on July 2, in the form of an archive containing a document supposedly coming from the Indian government, but which was designed to drop a malicious template that would then load a Cobalt Strike variant.

The next day, the template would drop the MgBot loader, and Malwarebytes’ security researchers observed it leveraging the Application Management (AppMgmt) service in Windows for the execution and injection of the final payload.

Several days later, the same payload was being delivered via an archive containing a document featuring a statement that British Prime Minister Boris Johnson made about Hong Kong.

These documents, Malwarebytes says, are likely authored by a Chinese state-sponsored actor active since at least 2014, and are representative of the ongoing tensions between China and India, as well as China and Hong Kong.

The first of the attacks, likely carried out through phishing emails, abuses the dynamic data exchange (DDE) protocol to run commands encoded within the malicious document. The injected payload is a variant of Cobalt Strike.

The second attack replaces the final payload and some of the employed techniques for loading malicious scripts, but continues to use templates for malware injection. MgBot, which is featured in the third attack as well, and which is designed to fetch and execute the final payload, is employed.

MgBot, which masquerades as a Realtek Audio Manager tool, escalates privileges using a UAC bypass technique and employs anti-analysis and anti-virtualization methods. The loader would modify code sections during runtime, to prevent static analysis.

The malware would drop its payload in the form of a DLL and execute it by running the net start AppMgmt command. Next, it creates a cmd file and executes it to delete both the loader and the cmd file from the victim system.

“We were able to identify several different variants of this loader. In general, all the variants drop the final payload using expand.exe or extrac32.exe and then use ‘net start AppMgmt’ or ‘net start StiSvc’ to execute the dropped DLL,” Malwarebytes notes.

The dropped payload pretends to be a Video Team Desktop App, supposedly created in April 2018, although the threat actor appears to have tampered with the creation timestamps. The file can pretend to perform legitimate services and uses anti-debugging and anti-virtualization techniques.

The security researchers say the malware has remote access Trojan (RAT) capabilities, which its operators can leverage for logging keystrokes, taking screenshots, manipulating files and folders, manipulating processes, creating mutexes, and communicating with the command and control (C&C) server over TCP.

The threat actor uses several IP addresses to host payloads and C&C servers, with most of these located in Hong Kong. Malwarebytes believes that the threat actor used IP addresses in Hong Kong in previous campaigns as well.

The researchers also identified malicious Android apps used by the Chinese actor, including a RAT capable of recording the screen and audio, locating the device, stealing user data (contact address, call logs, SMS messages, web history), and sending SMS messages.

The tools, techniques and procedures (TTPs) used in these attacks were previously associated with Chinese threat actors such as Rancor, KeyBoy, and APT40, and Malwarebytes believes that the new attacks are the work of a Chinese APT that used a variant of MgBot in all of their previous campaigns.

Related: Chinese Hackers Target Air-Gapped Military Networks

Related: China-linked APT Hackers Launch Coronavirus-Themed Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.