ESET researchers recently uncovered a sophisticated cyberespionage campaign targeting Tibetans through a strategic web compromise and a supply-chain compromise involving trojanized installers of Tibetan language translation software. The attackers deployed malicious downloaders for Windows and macOS to compromise website visitors with MgBot and a newly discovered backdoor called Nightdoor.
The malicious activity began in September 2023 and has been linked to the China-aligned Evasive Panda APT group, which has a history of targeting individuals and organizations in China, Hong Kong, Macao, Nigeria, and Southeast and East Asia. The group uses a custom malware framework with a modular architecture, allowing its backdoor, MgBot, to receive modules to spy on victims and enhance its capabilities. Evasive Panda has also been known to deliver backdoors via adversary-in-the-middle attacks, hijacking updates of legitimate software.
This recent campaign leveraged the Monlam Festival, a religious gathering, to target Tibetans in various countries and territories. The attackers compromised the website of the festival organizer in India, adding malicious code to create a watering-hole attack targeting users from specific networks. Additionally, a software developer’s supply chain was compromised, and trojanized installers for Windows and macOS were distributed to users.
The compromised website belonging to Kagyu International Monlam Trust in India was used as a watering hole to target users in India, Taiwan, Hong Kong, Australia, and the United States. The attackers inserted a script into the website that checked visitors’ IP addresses and displayed a fake error page prompting users to download a malicious file posing as a certificate. This file was actually a downloader that initiated the next stage of the compromise chain.
Furthermore, the attackers compromised a software development company in India that produces Tibetan language translation software, serving trojanized applications and payloads for Windows and macOS. The attackers also utilized a Tibetan news website, Tibetpost, to host the malicious downloads, including two full-featured backdoors for Windows and additional payloads for macOS.
The watering hole attack involved a sophisticated mechanism to deliver payloads based on the user’s IP address. By brute-forcing the salt used in generating MD5 hashes from IP addresses, researchers were able to identify 74 targeted IP address ranges, primarily in India, Taiwan, Australia, the United States, and Hong Kong. The majority of Tibetan diaspora resides in India, making it a prime target for the attackers.
On Windows systems, victims were served a malicious executable that deployed a side-loading chain to load an intermediate downloader, followed by another stage that delivered the Nightdoor backdoor as the final payload. On macOS, a similar downloader was used to execute the same sequence of malicious activity, ultimately leading to the deployment of Nightdoor.
Nightdoor is a newly discovered backdoor that has not been publicly documented. It is a sophisticated tool used by the attackers to spy on victims and maintain access to compromised systems. The Evasive Panda APT group’s use of Nightdoor in this campaign highlights their advanced capabilities and their ongoing efforts to conduct cyberespionage operations targeting specific individuals and organizations.
In conclusion, the discovery of this cyberespionage campaign targeting Tibetans highlights the ongoing threat posed by sophisticated APT groups like Evasive Panda. The use of watering hole attacks, supply-chain compromises, and custom malware frameworks demonstrates the evolving tactics and techniques employed by malicious actors in cyberspace. ESET researchers continue to monitor and analyze these threats to protect individuals and organizations from cyberattacks.