A targeted cyber attack linked to a Chinese threat group has infected visitors to a Buddhist festival website and users of a Tibetan language translation application.
According to new research from ESET, the so-called Evasive Panda hacking team’s campaign of cyber operations began in or before September 2023 and affected systems in India, Taiwan, Australia, the United States and Hong Kong.
As part of the campaign, attackers compromised the websites of an India-based organization that promotes Tibetan Buddhism; a development company that produces Tibetan language translations; and the Tibetpost news website, which then unknowingly hosted malicious programs. Site visitors from specific global geographies have been infected with droppers and backdoors, including group favorite MgBot, as well as a relatively new backdoor program, Nightdoor.
Overall, the group executed an impressive variety of attack vectors in the campaign: an Adversary-in-the-middle (AitM) attack via a software update, leveraging a development server; a drinking trough; and phishing emails, says ESET researcher Anh Ho, who discovered the attack.
“The fact that they stage both a supply chain attack and a water well attack within the same campaign shows the resources they have,” he says. “Nightdoor is quite complex, which is technically significant, but in my opinion it is Evasive Panda [most significant] The attribute is the variety of attack vectors they were able to execute.”
Evasive Panda is a relatively small team typically focused on surveillance of individuals and organizations in Asia and Africa. The group is associated with attacks on telecommunications companies in 2023, dubbed SentinelOne’s Operation Tainted Loveand associated with the Granite Typhoon attribution group, born Gallium, for Microsoft. It is also known as Symantec’s Daggerflyand appears to overlap with a cybercriminal and espionage group known from Google Mandiant as APT41.
Shortages of water and compromises in the supply chain
The group, active since 2012, is known for supply chain attacks and using stolen code signing credentials and application updates to infect systems of users in China and Africa in 2023.
In this latest campaign reported by ESET, the group compromised a website for the Tibetan Buddhist festival Monlam to provide a backdoor or download tool and installed payloads on a compromised Tibetan news site, reported Analysis published by ESET.
The group also targeted users by compromising a Tibetan translation software developer with Trojan applications to infect both Windows and Mac OS systems.
“At this point it is impossible to know exactly what information they are looking for, but when backdoors, Nightdoor or MgBot are used, the victim’s machine is like an open book,” says Ho. “The attacker can access all the information he wants.”
Evasive Panda has targeted individuals within China for surveillance purposes, including people living in mainland China, Hong Kong and Macau. The group also compromised government agencies in China, Macau, and Southeast and East Asian nations.
In the latest attack, the Georgia Institute of Technology was among the organizations attacked in the United States, ESET said in its analysis.
Cyber espionage ties
Evasive Panda has developed its own custom malware framework, MgBot, which implements a modular architecture and has the ability to download add-ons, execute code, and steal data. Among other features, MgBot modules can spy on compromised victims and download additional features.
In 2020, Evasive Panda targeted users in India and Hong Kong using the MgBot downloader to deliver the final payloads, according to Malwarebytes, which links the group to previous attacks in 2014 and 2018.
Nightdoor, a backdoor introduced by the group in 2020, communicates with a command-and-control server to issue commands, load data, and create a reverse shell.
The set of tools, including MgBot, used exclusively by Evasive Panda, and Nightdoor, directly target the China-linked cyber espionage group, ESET’s Ho said in the analysis published by the company.
“ESET attributes this campaign to the Evasive Panda APT group, based on the malware used: MgBot and Nightdoor,” the analysis states. “Over the past two years, we have seen both backdoors deployed together in an unrelated attack against a religious organization in Taiwan, in which they also shared the same command [and] control server.”