Related Families: MgBot
Executive Summary
Evasive Panda was recently observed targeting Tibetans using a combination of strategic web compromise and supply chain attacks to deliver Nightdoor.
Key Takeaways
- Evasive Panda was recently observed targeting Tibetans in an espionage campaign.
- The threat actors used a combination of strategic web compromise of the Monlam Festival website and supply chain attacks on a Tibetan language software company in the campaign.
- The campaign delivered MgBot and another backdoor, dubbed Nightdoor.
What is Nightdoor?
Evasive Panda was recently observed targeting Tibetans using a combination of strategic web compromise and supply chain attacks. The threat actors used Nightdoor backdoor in this espionage campaign, which has been active since at least September 2023. ESET reported on this activity.
The threat actors leveraged the Monlam Festival to target Tibetans, compromising the website of the festival’s organizer, Kagyu International Monlam Trust, and adding malicious code for strategic web compromise and targeted attacks. The malicious script verifies the potential victim’s IP address. If the IP address falls within a targeted range of addresses, the user is shown a fake error message urging them to download a “fix”. The file, of course, is a malicious downloader. Targeted users were identified in India, Taiwan, Hong Kong, Australia, and the US.
Around September 2023, the threat actors also compromised the website of an Indian software development company that produces a Tibetan language translation software. The supply chain compromise was used to deliver trojanized installers of the software. Evasive Panda used the malicious downloaders, targeting both Windows and MacOS systems, to deliver MgBot and Nightdoor.
Nightdoor is a backdoor that was first observed in the wild in 2020. Evasive Panda first used it to target a high-profile entity in Vietnam. Despite being several years old, it is the group’s most recently identified custom tool. Nightdoor uses UDP or the Google Drive API to communicate with the C2. Nightdoor uses the victim’s MAC address as the victim ID and collects information about the victim machine, including but not limited to OS version, MAC address, IP address, CPU name, computer name, username, device driver names, local time, disk drive name, free and total space, file system type, installed applications, and running processes. Nightdoor creates a reverse shell and uses anonymous pipes to manage input and output. It can also obtain file attributes, move and delete files, and self-uninstall.
Who is Evasive Panda?
Evasive Panda, also known as Bronze Highland and Daggerfly, is a China-aligned threat actor group. Evasive Panda has been active since at least 2012 and is known to conduct espionage campaigns against individual targets in China, Hong Kong, Macao, and Nigeria. They have also targeted government entities in Southeast and East Asia, telecommunications entities in Africa, and unspecified entities in Hong Kong, India, and Malaysia. The group is known to use adversary in the middle attacks, hijacking updates of legitimate software to deliver its backdoors. Other Evasive Panda TTPs include use of a custom malware framework with modular architecture and the MgBot and Nightdoor backdoors.
IOCs
PolySwarm has multiple samples of Nightdoor.
88b0ee7273a91d92c3570dbc67896e15b53ca118d2b45e49a3489605cc26bf24
419311167faeee927763b67ce00dbd4491f18bb0dbac9236621faec9e6422fa9
3e92f35c3818be05033b9f6716fe4fc30d5a68f6e412422ad7c68c85d4451ae4
c55dc6adb0f8faa94650d379814c568ca55db3d50f8fb8c5b075a21955f76daf
ee6a3331c6b8f3f955def71a6c7c97bf86ddf4ce3e75a63ea4e9cd6e20701024
cb7d9feda7d8ebfba93ec428d5a8a4382bf58e5a70e4b51eb1938d2691d5d4a5
2c0cfe2f4f1e7539b4700e1205411ec084cbc574f9e4710ecd4733fbf0f8a7dc
174a62201c7e2af67b7ad37bf7935f064a379f169cf257ca16e912a46ecc9841
d9eec27bf827669cf13bfdb7be3fdb0fdf05a26d5b74adecaf2f0a48105ae934
You can use the following CLI command to search for all Nightdoor samples in our portal:
$ polyswarm link list -f Nightdoor
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.