Facundo Munoz
Last known affiliation: ESET
Bio: Facundo Muñoz began his career as an independent researcher and in 2021 he joined the ESET Latin America team as a Security Intelligence Analyst, where he has been investigating and tracking campaigns of advanced threat actors, and has made contributions to the analysis of the Latin American cybercrime ecosystem.
Alexis Dorais-Joncas 🗣 | Facundo Munoz 🗣
Abstract (click to view)
Air-gapping is used to protect the most sensitive of networks: voting systems, ICSes running power grids, or SCADA systems operating nuclear centrifuges just to name a few. In the first half of 2020 alone, three malicious frameworks devised to breach air-gapped networks emerged, making a grand total of 17 since Stuxnet in 2010. This prompted us to step back and reanalyze all those frameworks from the vantage point of having discovered and analyzed three of these in the past six years. We put the frameworks in perspective to see what history could teach us in order to improve air-gapped network security and our abilities to detect future attacks.
This exhaustive analysis allowed us to isolate several major similarities in all of them, even those 10 years apart. We pinpoint the specific areas of air-gapped networks constantly leveraged by malware and provide objective advice on how to best prioritize the deployment of resources to increase security.
Facundo Munoz 🗣 | Anh Ho 🗣
Abstract (click to view)
Evasive Panda, a China-aligned APT group engaged in cyberespionage since 2012, has recently introduced a not yet publicly documented backdoor, which we’ve named Nightdoor.
Prior to this discovery, Evasive Panda was well-known for distributing and operating MgBot, a full-featured backdoor with a modular architecture. In our blogpost from April 2023 titled “Evasive Panda APT group delivers malware via updates for popular Chinese software”, we described how Evasive Panda might leverage adversary in the middle (AitM) capabilities to deliver MgBot through legitimately initiated Tencent QQ software updates, targeting China from 2020 to 2022. In 2023, we found more victims in Turkey and Kyrgyzstan under similar AitM attacks. We were able to extract the compromise chain, which began with legitimate update requests from IObit or CorelDraw software that were answered with a malicious downloader specifically designed for AitM attacks. Subsequent stages included a dropper that iteratively executes 12 pieces of shellcode and a multistage loading chain for MgBot.
Within the same timeline, Evasive Panda conducted another operation involving the new Nightdoor backdoor. The victims included an engineering and chip manufactory company in South Korea (2022–2023), a religious organization in Taiwan (2022), and a government entity in Vietnam (2020). These attacks tended to happen at nighttime, which inspired us to name the backdoor Nightdoor.
In this presentation, we provide an overview of Evasive Panda operations, victimology, and TTPs. Following this, we describe the compromise chains for both MgBot and Nightdoor and address some overlaps with the GIMMICK malware. Subsequently, we present our hypothesis regarding the method used to achieve AitM capability, based on our analysis of the victim’s environments and the incidents. Finally, we delve into the features of Nightdoor, including the set of 32 commands, network protocols, and configuration extraction.