Threat Research

Evasive Panda leverages Monlam Festival to target Tibetans

ESET-welivesecurity

ESET researchers uncovered a targeted cyberespionage campaign (since at least Sept 2023) that used watering‑hole and supply‑chain compromises to deliver trojanized Tibetan language software and web-based downloaders, ultimately installing MgBot and a previously undocumented backdoor named Nightdoor. The operation is attributed to the China‑aligned APT group Evasive Panda and abused sites including the Kagyu Monlam festival site and monlamit[.]com. #Nightdoor #MgBot #EvasivePanda #KagyuMonlam #monlamit #tibetpost.net

Keypoints

  • Attackers modified a Kagyu Monlam website JavaScript to fingerprint visitors and present a fake crash page that prompts OS‑specific “certificate” downloads (certificate.exe / certificate.pkg) as malicious downloaders.
  • Victim selection used an MD5‑based check: the watering‑hole fetched an MD5 from update.devicebug[.]com and compared it to a list of 74 hashes computed from the first three octets of the visitor IP plus a server salt (1qaz0okm!@#).
  • A software vendor’s download site (monlamit[.]com) was supply‑chain compromised to host trojanized ZIPs and installers that side‑load malicious DLLs (RPHost.dll, memmgrset.dll) and drop intermediate downloaders (default_ico.exe) leading to Nightdoor or MgBot deployment.
  • Windows chain: certificate.exe → DLL side‑loading (memmgrset.dll/http_dy.dll) → fetch config.json from update.devicebug[.]com → download next stage → side‑load Nightdoor. macOS chain: trojanized .pkg installs a Mach‑O that listens on TCP 63403 to answer the watering‑hole check and fetches JSON for next stage, using LaunchAgents for persistence.
  • Nightdoor uses Google Drive as C2 (encrypted OAuth2 token), creates a per‑victim folder named by MAC, exchanges commands as files (filename encodes metadata), and reorganizes command handling via a branch table; it supports data collection, file operations, reverse shell, tunneling, and exfiltration to cloud storage.

MITRE Techniques

  • [T1583.004] Acquire Infrastructure: Server – Evasive Panda acquired servers for the C&C infrastructure of Nightdoor, MgBot, and the macOS downloader component. (‘Evasive Panda acquired servers for the C&C infrastructure of Nightdoor, MgBot, and the macOS downloader component.’)
  • [T1583.006] Acquire Infrastructure: Web Services – Evasive Panda used Google Drive’s web service for Nightdoor’s C&C infrastructure. (‘Evasive Panda used Google Drive’s web service for Nightdoor’s C&C infrastructure.’)
  • [T1584.004] Compromise Infrastructure: Server – Operators compromised several servers to use as watering holes, host payloads, and act as C&C. (‘Evasive Panda operators compromised several servers to use as watering holes… and to host payloads and use as C&C servers.’)
  • [T1585.003] Establish Accounts: Cloud Accounts – Attackers created a Google Drive account and used it as C&C infrastructure. (‘Evasive Panda created a Google Drive account and used it as C&C infrastructure.’)
  • [T1587.001] Develop Capabilities: Malware – The group developed/deployed custom implants such as MgBot and Nightdoor. (‘Evasive Panda deployed custom implants such as MgBot, Nightdoor, and a macOS downloader component.’)
  • [T1588.003] Obtain Capabilities: Code Signing Certificates – The campaign used obtained code‑signing certificates to sign macOS binaries. (‘Evasive Panda obtained code‑signing certificates.’)
  • [T1608.004] Stage Capabilities: Drive-by Target – The attackers modified a high‑profile website to render a fake notification that prompts a malware download. (‘modified a high-profile website to add a piece of JavaScript code that renders a fake notification to download malware.’)
  • [T1189] Drive-by Compromise – Visitors to compromised websites could be enticed by a fake error page to download OS‑specific payloads. (‘Visitors to compromised websites may receive a fake error message enticing them to download malware.’)
  • [T1195.002] Supply Chain Compromise: Compromise Software Supply Chain – Official installer packages were trojanized on the software vendor’s site. (‘Evasive Panda trojanized official installer packages from a software company.’)
  • [T1106] Native API – Nightdoor, MgBot, and their loaders use native Windows APIs to create processes. (‘Nightdoor, MgBot, and their intermediate downloader components use Windows APIs to create processes.’)
  • [T1053.005] Scheduled Task/Job: Scheduled Task – Loader components created scheduled tasks (e.g., creating Demovale task). (‘Nightdoor and MgBot’s loader components can create scheduled tasks.’)
  • [T1543.003] Create or Modify System Process: Windows Service – Loader components can create Windows services for persistence. (‘Nightdoor and MgBot’s loader components can create Windows services.’)
  • [T1574.002] Hijack Execution Flow: DLL Side-Loading – Droppers use legitimate executables to side‑load malicious DLLs (e.g., RPHost.dll, memmgrset.dll). (‘Nightdoor and MgBot’s dropper components deploy a legitimate executable file that side-loads a malicious loader.’)
  • [T1140] Deobfuscate/Decode Files or Information – DLL components are decrypted in memory before use. (‘DLL components of the Nightdoor implant are decrypted in memory.’)
  • [T1562.004] Impair Defenses: Disable or Modify System Firewall – Nightdoor adds Windows Firewall rules to allow its proxy/server traffic. (‘Nightdoor adds two Windows Firewall rules to allow inbound and outbound communication for its HTTP proxy server functionality.’)
  • [T1070.004] Indicator Removal: File Deletion – Nightdoor and MgBot include file deletion capabilities. (‘Nightdoor and MgBot can delete files.’)
  • [T1070.009] Indicator Removal: Clear Persistence – The backdoors can uninstall themselves to clear persistence. (‘Nightdoor and MgBot can uninstall themselves.’)
  • [T1036.004] Masquerading: Masquerade Task or Service – Nightdoor disguises tasks (e.g., as netsvcs). (‘Nightdoor’s loader disguised its task as netsvcs.’)
  • [T1036.005] Masquerading: Match Legitimate Name or Location – Installer deploys components into legitimate system directories. (‘Nightdoor’s installer deploys its components into legitimate system directories.’)
  • [T1027.009] Obfuscated Files or Information: Embedded Payloads – Dropper contains embedded encrypted blobs and payloads that are deployed on disk. (‘Nightdoor’s dropper component contains embedded malicious files that are deployed on disk.’)
  • [T1055.001] Process Injection: Dynamic-link Library Injection – Loader components inject into svchost.exe. (‘Nightdoor and MgBot’s loaders components inject themselves into svchost.exe.’)
  • [T1620] Reflective Code Loading – Loaders inject into svchost.exe and load backdoors from memory. (‘Nightdoor and MgBot’s loader components inject themselves into svchost.exe, from where they load the Nightdoor or MgBot backdoor.’)
  • [T1087.001] Account Discovery: Local Account – Backdoors collect local user account information. (‘Nightdoor and MgBot collect user account information from the compromised system.’)
  • [T1083] File and Directory Discovery – Nightdoor and MgBot enumerate files and directories for collection. (‘Nightdoor and MgBot can collect information from directories and files.’)
  • [T1057] Process Discovery – The malware collects information on running processes. (‘Nightdoor and MgBot collect information about processes.’)
  • [T1012] Query Registry – Backdoors query the Windows registry to find installed software. (‘Nightdoor and MgBot query the Windows registry to find information about installed software.’)
  • [T1518] Software Discovery – The implants enumerate installed software and services. (‘Nightdoor and MgBot collect information about installed software and services.’)
  • [T1033] System Owner/User Discovery – The malware collects system owner/user details. (‘Nightdoor and MgBot collect user account information from the compromised system.’)
  • [T1082] System Information Discovery – Wide system profiling is performed (OS, adapters, CPU, etc.). (‘Nightdoor and MgBot collect a wide range of information about the compromised system.’)
  • [T1049] System Network Connections Discovery – Active TCP/UDP connections are enumerated. (‘Nightdoor and MgBot can collect data from all active TCP and UDP connections on the compromised machine.’)
  • [T1560] Archive Collected Data – Collected data is stored in encrypted files before exfiltration. (‘Nightdoor and MgBot store collected data in encrypted files.’)
  • [T1119] Automated Collection – The implants automatically collect system and network information. (‘Nightdoor and MgBot automatically collect system and network information about the compromised machine.’)
  • [T1005] Data from Local System – Backdoors collect OS and user data from local storage. (‘Nightdoor and MgBot collect information about the operating system and user data.’)
  • [T1074.001] Data Staged: Local Data Staging – Data is staged locally for exfiltration. (‘Nightdoor and MgBot stages data for exfiltration in files on disk.’)
  • [T1071.001] Application Layer Protocol: Web Protocols – Nightdoor uses HTTP-based communications for C2. (‘Nightdoor communicates with the C&C server using HTTP.’)
  • [T1095] Non-Application Layer Protocol – Nightdoor can use UDP; MgBot uses TCP. (‘Nightdoor communicates with the C&C server using UDP. MgBot communicates with the C&C server using TCP.’)
  • [T1571] Non-Standard Port – MgBot uses TCP port 21010 for C2 communication. (‘MgBot uses TCP port 21010.’)
  • [T1572] Protocol Tunneling – Nightdoor can act as an HTTP proxy to tunnel TCP traffic. (‘Nightdoor can act as an HTTP proxy server, tunneling TCP communication.’)
  • [T1102] Web Service – Nightdoor leverages Google Drive as a web service for C2. (‘Nightdoor uses Google Drive for C&C communication.’)
  • [T1020] Automated Exfiltration – Nightdoor and MgBot automatically exfiltrate collected data. (‘Nightdoor and MgBot automatically exfiltrate collected data.’)
  • [T1567.002] Exfiltration Over Web Service: Exfiltration to Cloud Storage – Nightdoor exfiltrates files to Google Drive. (‘Nightdoor can exfiltrate its files to Google Drive.’)

Indicators of Compromise

  • [Domain] C2 / payload hosting – update.devicebug[.]com, tibetpost[.]net
  • [Compromised website] Supply‑chain / downloads – www.monlamit[.]com, kagyumonlam[.]org (malicious JS)
  • [IP address] Nightdoor dropper download server – 188.208.141[.]204, and targeted CIDR 128.61.64.0/24 (Georgia Tech)
  • [File hash] Dropper / downloader examples – SHA-1 7A3FC280F79578414D71D70609FBDB49EC6AD648 (Nightdoor downloader), FA44028115912C95B5EFB43218F3C7237D5C349F (RPHost.dll), and 20 more hashes
  • [Filenames] Trojanized installers / droppers – certificate.exe, default_ico.exe, autorun.exe, and many other trojanized installer filenames
  • [Certificate] macOS signing certificate serial – 49:43:74:D8:55:3C:A9:06:F5:76:74:E2:4A:13:E9:33 (Apple Development: ya ni yang / 2289F6V4BN) used to sign macOS Mach‑O

Evasive Panda’s watering‑hole used obfuscated JavaScript appended to a jQuery library that first probes localhost (http://localhost:63403/?callback=handleCallback) to detect an existing intermediate downloader; if absent, the script requests an MD5 value from update.devicebug[.]com and checks it against an embedded array of 74 hashes. The hash input is the first three octets of the visitor IP plus a server salt; ESET recovered the salt (1qaz0okm!@#), enabling enumeration of the targeted network prefixes. When a match occurs the script renders a fake “Aw, Snap!” crash page and serves an OS‑specific “Immediate Fix” payload URL (certificate.exe for Windows, certificate.pkg for macOS).

Windows infection chains: certificate.exe acts as a dropper that side‑loads memmgrset.dll (http_dy.dll), which fetches config.json from update.devicebug[.]com/assets_files/config.json to retrieve the next‑stage URL; that next stage can create further side‑loads to install Nightdoor or MgBot (via default_ico.exe variants). Supply‑chain trojans on monlamit[.]com distributed ZIPs whose autorun.exe launched MonlamUpdate.exe (a legitimate executable abused for DLL side‑loading) to load RPHost.dll (malicious downloader), download UpdateInfo.dat, and drop default_ico.exe into %TEMP% for execution; some samples were Rust‑compiled. macOS trojanized .pkg files included a Mach‑O binary and postinstall script that copies the binary to $HOME/Library/Containers/CalendarFocusEXT/, installs a LaunchAgent (com.Terminal.us.plist) for persistence, and the Mach‑O listens on TCP 63403 to reply handleCallback({‘success’:true}) so the watering‑hole will not re‑attempt compromise; macOS stages fetch the same UpdateInfo.dat JSON and enforce architecture, mac key, md5 and optional vernow (hardware UUID) checks before execution (the malicious Mach‑O was signed with an Apple Development certificate later revoked).

Nightdoor’s C2 is implemented over Google Drive: an encrypted OAuth2 token in the binary allows the implant to create a victim folder named by MAC address and exchange command messages as files whose filenames encode metadata (magic value, protobuf header, size, command type/ID, QoS, MAC placeholder). The variant reorganizes command handling into a branch table (continuous command ID indexing) and supports broad espionage functions—system profiling, file operations (move/delete), reverse shell, process/registry discovery, reflective and DLL injection into svchost.exe, firewall rule modification, HTTP proxying/tunneling, and automated exfiltration to cloud storage—typically delivered via the multi‑stage side‑loading and downloader chains described above.

Read more: https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint