3 Min Read
Code on a laptop screen with China flag logo
Source: China Rokas Tenys via Shutterstock

A targeted watering-hole cyberattack linked to a Chinese threat group infected visitors to a Buddhism festival website and users of a Tibetan language translation application.

The cyber-operations campaign by the so-called Evasive Panda hacking team began September 2023 or earlier and affected systems in India, Taiwan, Australia, the United States, and Hong Kong, according to new research from ESET.

As part of the campaign, the attackers compromised the websites of an India-based organization that promotes Tibetan Buddhism; a development company that produces Tibetan language translation; and news website Tibetpost, which then unknowingly hosted malicious programs. Visitors to the sites from specific global geographies were infected with droppers and backdoors, including the group's preferred MgBot as well as a relatively new backdoor program, Nightdoor.

Overall, the group executed an impressive variety of attack vectors in the campaign: an adversary-in-the-middle (AitM) attack via a software update, exploiting a development server; a watering hole; and phishing emails, says ESET researcher Anh Ho, who discovered the attack.

"The fact that they orchestrate both a supply chain and watering-hole attack within the same campaign showcases the resources they have," he says. "Nightdoor is quite complex, which is technically significant, but in my opinion Evasive Panda's [most significant] attribute is the variety of the attack vectors they have been able to perform."

Evasive Panda is a relatively small team typically focused on the surveillance of individuals and organizations in Asia and Africa. The group is associated with attacks on telecommunications firms in 2023, dubbed Operation Tainted Love by SentinelOne, and associated with the attribution group Granite Typhoon, née Gallium, per Microsoft. It's also known as Daggerfly by Symantec, and it appears to overlap with a cybercriminal and espionage group known by Google Mandiant as APT41.

Watering Holes and Supply Chain Compromises

The group, active since 2012, is well-known for supply chain attacks and for using stolen code-signing credentials and application updates to infect the systems of users in China and Africa in 2023.

In this latest campaign flagged by ESET, the group compromised a website for the Tibetan Buddhist Monlam festival to serve up a backdoor or downloader tool, which then downloaded planted payloads from a compromised Tibetan news site, according to ESET's published analysis.

The group also targeted users by compromising a developer of Tibetan translation software with Trojanized applications to infect both Windows and Mac OS systems.

"At this point, it is impossible to know exactly what information they are after, but when the backdoors — Nightdoor or MgBot — are deployed, the victim's machine is like an open book," Ho says. "The attacker can access any information they want."

Evasive Panda has targeted individuals within China for surveillance purposes, including people living in mainland China, Hong Kong, and Macao. The group has also compromised government agencies in China, Macao, and Southeast and East Asian nations.

In the latest attack, the Georgia Institute of Technology was among the organizations attacked in the United States, ESET stated in its analysis.

Cyber Espionage Ties

Evasive Panda has developed its own custom malware framework, MgBot, that implements a modular architecture and has the ability to download addition components, execute code, and steal data. Among other features, MgBot modules can spy on compromised victims and download additional capabilities.

In 2020, Evasive Panda targeted users in India and Hong Kong using the MgBot downloader to deliver final payloads, according to Malwarebytes, which linked the group to previous attacks in 2014 and 2018.

Nightdoor, a backdoor the group introduced in 2020, communicates with a command-and-control server to issue commands, upload data, and create a reverse shell.

The collection of tools — including MgBot, used exclusively by Evasive Panda, and Nightdoor — directly points to the China-linked cyber-espionage group, ESET's Ho stated in the firm's published analysis.

"ESET attributes this campaign to the Evasive Panda APT group, based on the malware that was used: MgBot and Nightdoor," the analysis stated. "Over the past two years, we have seen both backdoors deployed together in an unrelated attack against a religious organization in Taiwan, in which they also shared the same command [and] control server."

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights