Tibetan institutions cyber-attacked by China-linked threat

By Tsering Dhundup

DHARAMSHALA, March 9: A cyber threat group with ties to China, identified as Evasive Panda, has been found to be responsible for a series of targeted cyberattacks against Tibetan users since September 2023 reported ESET on Thursday. The attacks, discovered by cybersecurity researchers at ESET in January 2024, encompass both watering hole and supply chain attack methods.

A watering hole attack is a form of cyberattack that targets groups of users by infecting websites that they commonly visit. Watering hole attackers lurk on niche websites waiting for a chance to infect websites, and in turn, infect their victims with malware.

A supply chain attack is a type of cyberattack carried out against an organization’s suppliers as a means to gain unauthorized access to that organization’s systems or data. Sometimes called value chain or third-party software attacks, they involve significant planning by threat actors to use malicious code to infiltrate an organization’s systems, and they can have a devastating blast radius after the initial compromise.

The report revealed that Evasive Panda’s objective in these attacks is to distribute malicious downloaders designed for both Windows and macOS systems, incorporating a known backdoor dubbed MgBot along with a previously undocumented Windows implant referred to as Nightdoor. ESET’s investigation revealed that the threat actors compromised at least three websites to carry out watering hole attacks, as well as infiltrating a Tibetan software company’s supply chain.

According to the report, the compromised websites include Kagyu International Monlam Trust, a religious organization based in India that promotes Tibetan Buddhism internationally. The attack might have been intended to capitalize on international interest in the Kagyu Monlam which is held annually in January in the city of Bodhgaya, India.

The attacks involved strategically compromising the website of the Kagyu International Monlam Trust, where the attackers inserted a script to identify potential victims’ IP addresses. If the IP address matches one of the targeted ranges, users are presented with a fake error page prompting them to download a purported ‘fix’ named certificate, which in reality is a malicious downloader.

The report further stated that this attack specifically targets users in India, Taiwan, Hong Kong, Australia, and the U.S., suggesting a concerted effort to reach Tibetan communities across various countries and territories. The executable files, named “certificate.exe” for Windows and “certificate. pkg” for macOS, serve as conduits for loading the Nightdoor implant, which then utilizes the Google Drive API for command-and-control purposes.

Furthermore, the attackers also compromised a Tibetan software company Monlam IT’s website and its supply chain. The attackers also utilized the compromised website and a Tibetan news website, Tibet Post International, to host payloads obtained through malicious downloads, including backdoors for Windows and payloads for macOS.

The trojanized Windows installer initiates a complex multi-stage attack sequence to deliver either MgBot or Nightdoor, both equipped with various functionalities such as system information gathering, file operations, and remote shell spawning. ESET noted that Evasive Panda deployed several downloaders, droppers, and backdoors throughout the campaign, highlighting MgBot and Nightdoor as key components of the threat group’s arsenal, with Nightdoor being a recent addition primarily used to target networks in East Asia.