A targeted watering-hole cyberattack linked to a Chinese threat group infected visitors to a Buddhism festival website and users of a Tibetan language translation application.
The cyber-operations campaign by the so-called Evasive Panda hacking team began September 2023 or earlier and affected systems in India, Taiwan, Australia, the United States, and Hong Kong, according to new research from ESET.
As part of the campaign, the attackers compromised the websites of an India-based organization that promotes Tibetan Buddhism; a development company that produces Tibetan language translation; and news website Tibetpost, which then unknowingly hosted malicious programs. Visitors to the sites from specific global geographies were infected with droppers and backdoors, including the group’s preferred MgBot as well as a relatively new backdoor program, Nightdoor.
Overall, the group executed an impressive variety of attack vectors in the campaign: an adversary-in-the-middle (AitM) attack via a software update, exploiting a development server; a watering hole; and phishing emails, says ESET researcher Anh Ho, who discovered the attack.
“The fact that they orchestrate both a supply chain and watering-hole attack within the same campaign showcases the resources they have,” he says. “Nightdoor is quite complex, which is technically significant, but in my opinion Evasive Panda’s [most significant] attribute is the variety of the attack vectors they have been able to perform.”
Evasive Panda is a relatively small team typically focused on the surveillance of individuals and organizations in Asia and Africa. The group is associated with attacks on telecommunications firms in 2023, dubbed Operation Tainted Love by SentinelOne, and associated with the attribution group Granite Typhoon, née Gallium, per Microsoft. It’s also known as Daggerfly by Symantec, and it appears to overlap with a cybercriminal and espionage group known by Google Mandiant as APT41.
Watering Holes and Supply Chain Compromises
The group, active since 2012, is well-known for supply chain attacks and for using stolen code-signing credentials and application updates to infect the systems of users in China and Africa in 2023.
In this latest campaign flagged by ESET, the group compromised a website for the Tibetan Buddhist Monlam festival to serve up a backdoor or downloader tool, and planted payloads on a compromised Tibetan news site, according to ESET’s published analysis.
The group also targeted users by compromising a developer of Tibetan translation software with Trojanized applications to infect both Windows and Mac OS systems.
“At this point, it is impossible to know exactly what information they are after, but when the backdoors — Nightdoor or MgBot — are deployed, the victim’s machine is like an open book,” Ho says. “The attacker can access any information they want.”
Evasive Panda has targeted individuals within China for surveillance purposes, including people living in mainland China, Hong Kong, and Macao. The group has also compromised government agencies in China, Macao, and Southeast and East Asian nations.
In the latest attack, the Georgia Institute of Technology was among the organizations attacked in the United States, ESET stated in its analysis.
Cyber Espionage Ties
Evasive Panda has developed its own custom malware framework, MgBot, that implements a modular architecture and has the ability to download addition components, execute code, and steal data. Among other features, MgBot modules can spy on compromised victims and download additional capabilities.
In 2020, Evasive Panda targeted users in India and Hong Kong using the MgBot downloader to deliver final payloads, according to Malwarebytes, which linked the group to previous attacks in 2014 and 2018.
Nightdoor, a backdoor the group introduced in 2020, communicates with a command-and-control server to issue commands, upload data, and create a reverse shell.
The collection of tools — including MgBot, used exclusively by Evasive Panda, and Nightdoor — directly points to the China-linked cyber-espionage group, ESET’s Ho stated in the firm’s published analysis.
“ESET attributes this campaign to the Evasive Panda APT group, based on the malware that was used: MgBot and Nightdoor,” the analysis stated. “Over the past two years, we have seen both backdoors deployed together in an unrelated attack against a religious organization in Taiwan, in which they also shared the same command [and] control server.”
