China-Linked Cyber Spies Blend Watering Hole, Supply Chain Attacks

We Keep you Connected

China-Linked Cyber Spies Blend Watering Hole, Supply Chain Attacks

Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa.
The nation-state group compromised the website of a Tibetan festival and a software application to target user systems in Asia.
March 7, 2024
A targeted watering-hole cyberattack linked to a Chinese threat group infected visitors to a Buddhism festival website and users of a Tibetan language translation application.
The cyber-operations campaign by the so-called Evasive Panda hacking team began September 2023 or earlier and affected systems in India, Taiwan, Australia, the United States, and Hong Kong, according to new research from ESET.
As part of the campaign, the attackers compromised the websites of an India-based organization that promotes Tibetan Buddhism; a development company that produces Tibetan language translation; and news website Tibetpost, which then unknowingly hosted malicious programs. Visitors to the sites from specific global geographies were infected with droppers and backdoors, including the group's preferred MgBot as well as a relatively new backdoor program, Nightdoor.
Overall, the group executed an impressive variety of attack vectors in the campaign: an adversary-in-the-middle (AitM) attack via a software update, exploiting a development server; a watering hole; and phishing emails, says ESET researcher Anh Ho, who discovered the attack.
"The fact that they orchestrate both a supply chain and watering-hole attack within the same campaign showcases the resources they have," he says. "Nightdoor is quite complex, which is technically significant, but in my opinion Evasive Panda's [most significant] attribute is the variety of the attack vectors they have been able to perform."
Evasive Panda is a relatively small team typically focused on the surveillance of individuals and organizations in Asia and Africa. The group is associated with attacks on telecommunications firms in 2023, dubbed Operation Tainted Love by SentinelOne, and associated with the attribution group Granite Typhoon, née Gallium, per Microsoft. It's also known as Daggerfly by Symantec, and it appears to overlap with a cybercriminal and espionage group known by Google Mandiant as APT41.
The group, active since 2012, is well-known for supply chain attacks and for using stolen code-signing credentials and application updates to infect the systems of users in China and Africa in 2023.
In this latest campaign flagged by ESET, the group compromised a website for the Tibetan Buddhist Monlam festival to serve up a backdoor or downloader tool, which then downloaded planted payloads from a compromised Tibetan news site, according to ESET's published analysis.
The group also targeted users by compromising a developer of Tibetan translation software with Trojanized applications to infect both Windows and Mac OS systems.
"At this point, it is impossible to know exactly what information they are after, but when the backdoors — Nightdoor or MgBot — are deployed, the victim's machine is like an open book," Ho says. "The attacker can access any information they want."
Evasive Panda has targeted individuals within China for surveillance purposes, including people living in mainland China, Hong Kong, and Macao. The group has also compromised government agencies in China, Macao, and Southeast and East Asian nations.
In the latest attack, the Georgia Institute of Technology was among the organizations attacked in the United States, ESET stated in its analysis.
Evasive Panda has developed its own custom malware framework, MgBot, that implements a modular architecture and has the ability to download addition components, execute code, and steal data. Among other features, MgBot modules can spy on compromised victims and download additional capabilities.
In 2020, Evasive Panda targeted users in India and Hong Kong using the MgBot downloader to deliver final payloads, according to Malwarebytes, which linked the group to previous attacks in 2014 and 2018.
Nightdoor, a backdoor the group introduced in 2020, communicates with a command-and-control server to issue commands, upload data, and create a reverse shell.
The collection of tools — including MgBot, used exclusively by Evasive Panda, and Nightdoor — directly points to the China-linked cyber-espionage group, ESET's Ho stated in the firm's published analysis.
"ESET attributes this campaign to the Evasive Panda APT group, based on the malware that was used: MgBot and Nightdoor," the analysis stated. "Over the past two years, we have seen both backdoors deployed together in an unrelated attack against a religious organization in Taiwan, in which they also shared the same command [and] control server."
Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.
You May Also Like
Assessing Your Critical Applications’ Cyber Defenses
Unleash the Power of Gen AI for Application Development, Securely
The Anatomy of a Ransomware Attack, Revealed
How To Optimize and Accelerate Cybersecurity Initiatives for Your Business
Building a Modern Endpoint Strategy for 2024 and Beyond
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Industrial Networks in the Age of Digitalization
Zero-Trust Adoption Driven by Data Protection
How Enterprises Assess Their Cyber-Risk
How Enterprises are Attacking the Cybersecurity Problem
Forrester Total Economic Impact Study: Team Cymru Pure Signal Recon
The State of Incident Response
Collective defense is more important than ever–is your workforce ready?
Cheat Sheet – 5 Strategic Security Checkpoints
Secure Access for Operational Technology at Scale
2023 Work-from-Anywhere Global Study
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.