The China-linked threat actor known as Evasive Panda has been behind watering hole and supply chain attacks targeting Tibetan users since at least September 2023.
The objective of the attacks is to distribute malicious downloaders for Windows and macOS that deploy a backdoor called MgBot and a new Windows implant known as Nightdoor.
ESET revealed that the attackers compromised three websites for the watering-hole attacks and infiltrated a Tibetan software company’s supply chain. The operation was uncovered in January 2024.
Previously known as Bronze Highland and Daggerfly, Evasive Panda has been active since 2012 and was previously reported for targeting an NGO in Mainland China with MgBot.
A report by Symantec in April 2023 also linked Evasive Panda to a cyber espionage campaign aimed at telecom service providers in Africa since November 2022.
The latest cyber attacks involved compromising the Kagyu International Monlam Trust’s website (“www.kagyumonlam[.]org”).
ESET researchers explained, “The attackers added a script to the website that checks potential victims’ IP addresses and displays a fake error page encouraging users to download a ‘fix’ named certificate.”
The malicious downloader deployed in this attack is designed to target users in India, Taiwan, Hong Kong, Australia, and the U.S., with a specific focus on the Tibetan community.
The executable, named “certificate.exe” for Windows and “certificate.pkg” for macOS, serves as a delivery mechanism for the Nightdoor implant, which uses the Google Drive API for command-and-control (C2).
In addition, Evasive Panda compromised an Indian software company’s website (“monlamit[.]com”) to distribute trojanized installers of Tibetan language translation software in September 2023.
Researchers stated, “The attackers used the same website and a Tibetan news website, tibetpost[.]net, to host malicious payloads, including backdoors for Windows and macOS.”
The trojanized Windows installer initiates a complex attack sequence to deploy MgBot or Nightdoor, with signs of activity dating back to 2020.
The backdoor includes features to collect system information, list installed apps, spawn a reverse shell, and conduct file operations.
ESET mentioned, “The attackers used various downloaders, droppers, and backdoors, including MgBot and Nightdoor, to target networks in East Asia.”