Botconf Author Listing

Evasive Panda, a China-aligned APT group engaged in cyberespionage since 2012, has recently introduced a not yet publicly documented backdoor, which we’ve named Nightdoor.

Prior to this discovery, Evasive Panda was well-known for distributing and operating MgBot, a full-featured backdoor with a modular architecture. In our blogpost from April 2023 titled “Evasive Panda APT group delivers malware via updates for popular Chinese software”, we described how Evasive Panda might leverage adversary in the middle (AitM) capabilities to deliver MgBot through legitimately initiated Tencent QQ software updates, targeting China from 2020 to 2022. In 2023, we found more victims in Turkey and Kyrgyzstan under similar AitM attacks. We were able to extract the compromise chain, which began with legitimate update requests from IObit or CorelDraw software that were answered with a malicious downloader specifically designed for AitM attacks. Subsequent stages included a dropper that iteratively executes 12 pieces of shellcode and a multistage loading chain for MgBot.

Within the same timeline, Evasive Panda conducted another operation involving the new Nightdoor backdoor. The victims included an engineering and chip manufactory company in South Korea (2022–2023), a religious organization in Taiwan (2022), and a government entity in Vietnam (2020). These attacks tended to happen at nighttime, which inspired us to name the backdoor Nightdoor.

In this presentation, we provide an overview of Evasive Panda operations, victimology, and TTPs. Following this, we describe the compromise chains for both MgBot and Nightdoor and address some overlaps with the GIMMICK malware. Subsequently, we present our hypothesis regarding the method used to achieve AitM capability, based on our analysis of the victim’s environments and the incidents. Finally, we delve into the features of Nightdoor, including the set of 32 commands, network protocols, and configuration extraction.