Search for an article

Select a plan

Choose a plan from below, subscribe, and get access to our exclusive articles!

Monthly plan

$
13
$
0
billed monthly

Yearly plan

$
100
$
0
billed yearly

All plans include

  • Donec sagittis elementum
  • Cras tempor massa
  • Mauris eget nulla ut
  • Maecenas nec mollis
  • Donec feugiat rhoncus
  • Sed tristique laoreet
  • Fusce luctus quis urna
  • In eu nulla vehicula
  • Duis eu luctus metus
  • Maecenas consectetur
  • Vivamus mauris purus
  • Aenean neque ipsum
Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

HomeCII/OTEvasive Panda utilizes Monlam Festival to reach Tibetans

Evasive Panda utilizes Monlam Festival to reach Tibetans

Published on

spot_img

ESET researchers recently uncovered a sophisticated cyberespionage campaign targeting Tibetans through a strategic web compromise and a supply-chain compromise involving trojanized installers of Tibetan language translation software. The attackers deployed malicious downloaders for Windows and macOS to compromise website visitors with MgBot and a newly discovered backdoor called Nightdoor.

The malicious activity began in September 2023 and has been linked to the China-aligned Evasive Panda APT group, which has a history of targeting individuals and organizations in China, Hong Kong, Macao, Nigeria, and Southeast and East Asia. The group uses a custom malware framework with a modular architecture, allowing its backdoor, MgBot, to receive modules to spy on victims and enhance its capabilities. Evasive Panda has also been known to deliver backdoors via adversary-in-the-middle attacks, hijacking updates of legitimate software.

This recent campaign leveraged the Monlam Festival, a religious gathering, to target Tibetans in various countries and territories. The attackers compromised the website of the festival organizer in India, adding malicious code to create a watering-hole attack targeting users from specific networks. Additionally, a software developer’s supply chain was compromised, and trojanized installers for Windows and macOS were distributed to users.

The compromised website belonging to Kagyu International Monlam Trust in India was used as a watering hole to target users in India, Taiwan, Hong Kong, Australia, and the United States. The attackers inserted a script into the website that checked visitors’ IP addresses and displayed a fake error page prompting users to download a malicious file posing as a certificate. This file was actually a downloader that initiated the next stage of the compromise chain.

Furthermore, the attackers compromised a software development company in India that produces Tibetan language translation software, serving trojanized applications and payloads for Windows and macOS. The attackers also utilized a Tibetan news website, Tibetpost, to host the malicious downloads, including two full-featured backdoors for Windows and additional payloads for macOS.

The watering hole attack involved a sophisticated mechanism to deliver payloads based on the user’s IP address. By brute-forcing the salt used in generating MD5 hashes from IP addresses, researchers were able to identify 74 targeted IP address ranges, primarily in India, Taiwan, Australia, the United States, and Hong Kong. The majority of Tibetan diaspora resides in India, making it a prime target for the attackers.

On Windows systems, victims were served a malicious executable that deployed a side-loading chain to load an intermediate downloader, followed by another stage that delivered the Nightdoor backdoor as the final payload. On macOS, a similar downloader was used to execute the same sequence of malicious activity, ultimately leading to the deployment of Nightdoor.

Nightdoor is a newly discovered backdoor that has not been publicly documented. It is a sophisticated tool used by the attackers to spy on victims and maintain access to compromised systems. The Evasive Panda APT group’s use of Nightdoor in this campaign highlights their advanced capabilities and their ongoing efforts to conduct cyberespionage operations targeting specific individuals and organizations.

In conclusion, the discovery of this cyberespionage campaign targeting Tibetans highlights the ongoing threat posed by sophisticated APT groups like Evasive Panda. The use of watering hole attacks, supply-chain compromises, and custom malware frameworks demonstrates the evolving tactics and techniques employed by malicious actors in cyberspace. ESET researchers continue to monitor and analyze these threats to protect individuals and organizations from cyberattacks.

Source link

Latest articles

OWASP Releases Updated List of Top 10 Smart Contract Risks

The recently released 2025 update of the Open Web Application Security Project (OWASP) Smart...

Entrust reveals new AI-powered facial biometric authentication feature

Entrust, a leader in digital security solutions, has introduced a new AI-powered identity verification...

ChatGPT-Lücke erlaubt DDoS-Angriffe | CSO Online

A security researcher, Benjamin Flesch, recently discovered a vulnerability in the ChatGPT crawler that...

Group-IB collaborates with the Cybercrime Atlas community at the World Economic Forum to combat global cybercrime – ZAWYA

Cybersecurity firm Group-IB has recently announced its participation in the Cybercrime Atlas community at...

More like this

OWASP Releases Updated List of Top 10 Smart Contract Risks

The recently released 2025 update of the Open Web Application Security Project (OWASP) Smart...

Entrust reveals new AI-powered facial biometric authentication feature

Entrust, a leader in digital security solutions, has introduced a new AI-powered identity verification...

ChatGPT-Lücke erlaubt DDoS-Angriffe | CSO Online

A security researcher, Benjamin Flesch, recently discovered a vulnerability in the ChatGPT crawler that...