A recent cyberattack linked to a Chinese threat group has targeted visitors to a Buddhism festival website and users of a Tibetan language translation application. The Evasive Panda hacking team, known for their sophisticated tactics, conducted the attack beginning in September 2023, impacting systems in India, Taiwan, Australia, the United States, and Hong Kong, according to a report by cybersecurity firm ESET.
The attackers compromised the websites of an India-based organization promoting Tibetan Buddhism, a development company producing Tibetan language translation, and the news website Tibetpost. These websites unknowingly hosted malicious programs that infected visitors with droppers and backdoors, including the group’s preferred MgBot and a new backdoor program called Nightdoor.
ESET researcher Anh Ho, who discovered the attack, highlighted the diverse range of attack vectors used in the campaign, including an adversary-in-the-middle attack via a software update, a watering hole attack, and phishing emails. Ho noted that the combination of a supply chain attack and a watering hole attack within the same campaign demonstrates the resources available to the Evasive Panda group.
Evasive Panda, a relatively small team specializing in surveillance activities in Asia and Africa, has been associated with previous attacks on telecommunications firms. Referred to as Operation Tainted Love by SentinelOne and Granite Typhoon by Microsoft, the group is also known as Daggerfly by Symantec and overlaps with the cybercriminal and espionage group APT41 identified by Google Mandiant.
The Evasive Panda group, active since 2012, is well-known for supply chain attacks and has previously used stolen code-signing credentials and application updates to infect systems in China and Africa. In this latest campaign, the group compromised a website for the Tibetan Buddhist Monlam festival and planted payloads on a compromised Tibetan news site. They also targeted users by compromising a developer of Tibetan translation software with Trojanized applications.
The group’s custom malware framework, MgBot, is a modular tool that can download additional components, execute code, steal data, and spy on compromised victims. The introduction of Nightdoor in 2020 further expanded their capabilities, allowing for communication with a command-and-control server to issue commands, upload data, and create a reverse shell.
ESET attributed this latest campaign to the Evasive Panda APT group based on the use of MgBot and Nightdoor malware. The firm’s analysis highlighted the group’s consistent use of these tools in previous attacks, including one targeting a religious organization in Taiwan.
Overall, the Evasive Panda group’s ability to carry out sophisticated cyberattacks targeting individuals and organizations across multiple countries underscores the ongoing threat posed by advanced threat actors in the cybersecurity landscape. As organizations and individuals continue to rely on digital platforms for communication and transactions, it is essential to remain vigilant and take proactive measures to protect against cyber threats.