China-aligned hackers exploit religious festival to spy on global Tibetans
ESET Research, a prominent figure in the sphere of IT security, has unearthed a cyberespionage campaign that exploited a religious gathering, the Monlam Festival, to encroach upon and spy on Tibetans in several locations globally with high assurance tracing this operation back to the China-aligned Evasive Panda Advanced Persistent Threat (APT) group.
The cybercriminals managed to infiltrate the website of the annual festival's organizer in India, embedding a malicious code to create a watering-hole attack targeted at users connecting from particular networks. ESET also revealed that the attackers successfully compromised a software developer's supply chain, serving trojanized installers for both Windows and macOS users.
The full roster of tools utilized for this exercise included several malicious downloaders and comprehensive backdoors, one of which was an all-new, publicly undocumented one for Windows named 'Nightdoor'. The cyberespionage campaign cast a wide net, targeting users situated in India, Taiwan, Hong Kong, Australia, and the United States, including Georgia Tech.
Anh Ho, the ESET researcher who discovered the cyber intrusion, stated, "The attackers fielded several downloaders, droppers, and backdoors, including MgBot — which is exclusive to Evasive Panda — and Nightdoor, the latest significant addition to the group's toolkit that has been used to target several networks in East Asia. The Nightdoor backdoor, used in the supply-chain attack, is a recent addition to Evasive Panda's repertoire."
Ho revealed that the earliest version of Nightdoor that they could track dated back to 2020 when Evasive Panda launched it onto the machine of a significant target in Vietnam. Following this discovery, ESET has requested that the Google account linked to its authorization token be withdrawn.
Evasive Panda, also known as BRONZE HIGHLAND or Daggerfly, is a China-allied APT group conversant in Chinese, with activities tracing back to at least 2012. ESET Research has noted Evasive Panda conducting cyberespionage on individuals in mainland China, Hong Kong, Macao, and Nigeria. Apart from these, targets also included government entities in Southeast and East Asia, specifically China, Macao, Myanmar, The Philippines, Taiwan, and Vietnam. Other attacked organizations were in China and Hong Kong.
The group utilises a custom malware framework with a modular architecture. Its backdoor, known as MgBot, receives modules to enhance its spying capabilities. Eset has also observed since 2020 that Evasive Panda has the capacity to deliver its backdoors via adversary-in-the-middle attacks, hijacking updates of legitimate software.