(TibetanReview.net, Mar09’24) — A Chinese-backed hacking group, Evasive Panda (also known as BRONZE HIGHLAND and Daggerfly), has launched a cyberespionage campaign targeting Tibetans globally, reported hackread.com Mar 8, citing Antivirus and Internet Security Solutions provider ESET.
The report said the operation, detected in Jan 2024 by ESET researchers, began in Sep 2023 and uses a two-fold attack strategy: Watering hole attacks and spreading backdoor.
A watering hole attack is a cyberattack strategy where hackers compromise websites that their target victims frequently visit. By injecting malicious code into these websites, the attackers can infect the devices of unsuspecting visitors, the report said.
This tactic is said to rely on the trust users have in the compromised websites, leading them to unknowingly download malware or provide sensitive information, making it an effective method for targeting specific groups or organizations.
Backdoor attack involves using any malware/virus/technology to gain unauthorized access to the application/system/network while bypassing all the implemented security measures. Unlike other kinds of viruses/malware, backdoor attack elements reach the core of the targeted application and often drive the aimed resource as a driver or key administrator. It enables the penetrator to make the targeted system work/behave as per their will, and steal crucial data.
Giving a specific instance of the Chinese-backed attack, the report said that Evasive Panda capitalized on the Monlam Festival, a major Tibetan Buddhist event held last winter, by compromising the festival’s website. This “watering hole” attack tricked visitors from specific networks into downloading malware disguised as legitimate software.
Citing a comprehensive technical blog post detailed by ESET, the report said the attackers also compromised the Tibetan news website Tibetpost to distribute malicious payloads, including backdoors for Windows and unknown malware for macOS.
For this purpose, the attackers were stated to have fielded several downloaders, droppers, and backdoors, including MgBot – which is used exclusively by Evasive Panda – and Nightdoor: the latest major addition to the group’s toolkit and which has been used to target several networks in East Asia.
The Evasive Panda attackers have used a mix of known and unknown tools, including the custom-made Windows backdoor “Nightdoor” alongside the previously linked MgBot malware. This variety suggests a well-equipped and resourceful group, the report said.
The backdoored versions of Windows and macOS applications are stated to be hosted on the download page of a legitimate website.
The report said that by exploiting software vulnerabilities and compromising online platforms, Evasive Panda aimed to infiltrate targeted networks. The campaign’s timing, coinciding with the Monlam Festival, were seen as highlighting their attempt to exploit increased online activity during religious events.
The report said the recent discovery of Evasive Panda’s cyber-espionage campaign targeting Tibetans was consistent with previous actions by Chinese hackers; and that these groups have a track record of targeting Tibetan communities. Additionally, similar tactics have been used in the past to target Uyghurs, employing evasive Android malware for their malicious activities, the report noted.