(BRIEF) ESET researchers have exposed a complicated cyberespionage crusade targeting Tibetans in countries and territories, taking advantage of the Monlam Festival, a vital religious event. The operation, attributed to the China-aligned Evasive Panda Advanced Persistent Threat (APT) group, employed a combination of tactics, adding a hollow risk attack by compromising the festival organizer’s online page in India and a chain-of-origin compromise involving Trojan horse installers. Tibetan language translation software. The attackers deployed malicious downloaders and backdoors, adding the new Nightdoor backdoor, with the aim of infiltrating target networks basically in India, Taiwan, Hong Kong, Australia, and the United States. ESET’s discovery sheds light on the evolving tactics of APT teams and highgentles. the importance of physically powerful cybersecurity measures to protect against such threats.
(PRESS RELEASE) BRATISLAVA, March 8, 2024 — /EuropaWire/ — ESET researchers have exposed a cyberespionage crusade that, since at least September 2023, has been victimizing Tibetans, a targeted watering hole (also known as strategic Internet compromise), and a source of chain compromise to obtain Trojan installers of Tibetan language translation software. The attackers intended to deploy malicious downloaders for Windows and macOS to compromise internet site visitors with MgBot, as well as a backdoor that has yet to be publicly documented; ESET called it Nightdoor. The crusade through the China-aligned Evasive Panda APT organization took advantage of the Monlam festival (a devotional collection) to target Tibetans in various countries and territories. The target networks were located in India, Taiwan, Hong Kong, Australia and the United States.
ESET discovered the cyberespionage operation in January 2024. The compromised online page used as a watering hole (the attacker infests an online page that the victim is likely to use or use) belongs to the Kagyu International Monlam Trust, an India-based organization that promotes Tibetan Buddhism. overseas. The attack may have been aimed at capitalizing on foreign interest in the Kagyu Monlam festival held annually in January in the city of Bodhgaya, India. The Georgia Institute of Technology (also known as Georgia Tech) network in the United States is one of the well-known entities in the target intellectual property management ranks. In the past, the university was discussed in relation to the influence of the Chinese Communist Party on educational establishments in the United States.
Around September 2023, attackers breached the site of an India-based software development company that produces Tibetan language translation software. The attackers placed several trojanized applications there that implement a malicious downloader for Windows or macOS.
On top of that, the attackers also abused it and a Tibetan news site called Tibetpost to host the payloads received through the malicious downloads, adding two full-fledged backdoors for Windows and an unknown number of payloads for macOS.
“The attackers deployed several downloaders, droppers and backdoors, adding MgBot, which is used exclusively through Evasive Panda, and Nightdoor, the most recent major addition to the group’s toolkit and which has been used to target networks in East Asia,” ESET explains. Anh Ho, the investigator who discovered the attack. The Nightdoor backdoor, used in the origin chain attack, is a recent addition to the Evasive Panda toolkit. The first edition of Nightdoor that we were able to locate was in 2020, when Evasive Panda implemented it on the device of a high-profile target in Vietnam. We have requested the deletion of the Google account related to its authorization token,” Ho adds.
With great confidence, ESET attributes this crusade to the Evasive Panda APT group, founded on the malware used: MgBot and Nightdoor. Over the past two years, I noticed the two backdoors deployed in combination in an unrelated attack against a religious organization in Taiwan, in which they also shared the same command-and-control server.
Evasive Panda (also known as BRONZE HIGHLAND or Daggerfly) is a Chinese-language and China-aligned APT organization that has been active since at least 2012. ESET Research noted that the organization conducting cyber espionage opposes the Americans in mainland China, Hong Kong and Macau. and Nigeria. Government entities have been targeted in Southeast and East Asia, specifically in China, Macau, Myanmar, the Philippines, Taiwan and Vietnam. Other organizations have also been targeted in China and Hong Kong. It has also targeted unknown entities in Hong Kong, India and Malaysia.
The organization uses its own traditional malware framework with a modular architecture that allows its backdoor, called MgBot, to obtain modules to spy on its victims and enhance its capabilities. Since 2020, ESET has also observed that Evasive Panda has the ability to provide its backdoors through adversarial attacks in the middle by hijacking valid software updates.
For more technical information on the most recent malicious crusade through the Evasive Panda group, check out the blog “Evasive Panda Levers Monlam Festival to target Tibetans” on WeLiveSecurity. com. Be sure to stay on ESET Research on Twitter (now known as X) during the most recent ESET Research news.
About ESET
For more than 30 years, ESET® has been developing IT security software and installations to protect businesses, critical infrastructure, and consumers around the world from increasingly complicated virtual threats. From endpoint and mobile device security to endpoint detection and response, encryption, and multi-factor authentication, ESET’s resilient and easy-to-use responses discreetly protect and monitor 24/7, updating defenses in real-time to keep users safe and businesses running continuously. Evolving threats require a scalable IT security business that enables the secure use of technology. This is supported by the R Centers.
Media Contact:
SOURCE: ESET, spol. s. r. o.
MORE ON ESET, ETC. : ESET Research exposes Operation Texonto: a Russian-aligned disinformation crusade targeting Ukrainians. ESET PROTECT is named a strategic leader in AV-Comparatives’ 2023 EPR report. ESET wins a patent infringement lawsuit against Finjan Holdings LLC. ESET’s most recent discovery sheds light on Ballistic’s Bobcat’s persistent cyberespionage. Efforts ESET studies show that the Turkey-based CosmicBeetle organization is the Spacecolon toolkit for ransomware deployment and knowledge theft on a global scale. iRecorder: Screen Recorder with Spying CapabilitiesESET Named Best Player in the 2023 Advanced Persistent Threat Protection Market Quadrant of Radicati
EuropaWire (EW) is, in fact, the first pan-European press release and press release distribution service for Europe and the European Union, which aims to consolidate Europe’s global voice of news agencies and media. Submission forms, flexible PR pricing and budgets, granular targeting, unlimited maximum success across countries, markets, verticals, industries, audiences, languages, etc. , translation and localization for greater impact on local PR, in-depth distribution. . reports, metrics, and insights, adding measured PR success, reads, interactions, impact, etc. , with no limits on words, images, and multimedia to accompany your post, among other things. Your press releases will be among the press releases of Europe’s largest and most important companies, brands and stores.
HOW DO I GET STARTED?