Chinese Evasive Panda Targets Tibetans with Nightdoor Backdoor

Cybersecurity researchers at ESET identified the cyberespionage campaign, highlighting how hackers compromised both the Tibetan news website Tibetpost and the website of the Monlam Festival, a significant event in Tibetan Buddhism.

A Chinese-backed hacking group, Evasive Panda (also known as BRONZE HIGHLAND and Daggerfly), has launched a cyberespionage campaign targeting Tibetans globally. The operation, detected in January 2024 by ESET researchers, began in September 2023 and uses a two-fold attack strategy: Watering hole attacks and spreading backdoor.

****What is a Watering hole attack?****

A watering hole attack is a cyberattack strategy where hackers compromise websites that their target victims frequently visit. By injecting malicious code into these websites, the attackers can infect the devices of unsuspecting visitors.

This tactic relies on the trust users have in the compromised websites, leading them to unknowingly download malware or provide sensitive information, making it an effective method for targeting specific groups or organizations.

****Exploiting Religious Gatherings and Software Downloads****

Evasive Panda capitalized on the Monlam Festival, a major Tibetan Buddhist event, by compromising the festival’s website. This “watering hole” attack tricked visitors from specific networks into downloading malware disguised as legitimate software.

As detailed in ESET’s comprehensive technical blog post, the attackers also compromised the Tibetan news website Tibetpost to distribute malicious payloads, including backdoors for Windows and unknown malware for macOS.

The attackers fielded several downloaders, droppers, and backdoors, including MgBot – which is used exclusively by Evasive Panda – and Nightdoor: the latest major addition to the group’s toolkit and which has been used to target several networks in East Asia.

ESET

****Sophisticated Arsenal for Network Infiltration****

The attackers used a mix of known and unknown tools, including the custom-made Windows backdoor “Nightdoor” alongside the previously linked MgBot malware. This variety suggests a well-equipped and resourceful group.

The backdoored versions of Windows and macOS applications are hosted on the download page of a legitimate website (ESET)

****Targeting Specifics and Exploiting Opportunities****

By exploiting software vulnerabilities and compromising online platforms, Evasive Panda aimed to infiltrate targeted networks. The campaign’s timing, coinciding with the Monlam Festival, highlights their attempt to exploit increased online activity during religious events.

The recent discovery of Evasive Panda’s cyber-espionage campaign targeting Tibetans is consistent with previous actions by Chinese hackers. These groups have a track record of targeting Tibetan communities. Additionally, similar tactics have been used in the past to target Uyghurs, employing evasive Android malware for their malicious activities.

1. Android Trojan Virus Attack on Tibetan Activists
2. Chinese Group ‘Admin338’ Use DropBox To Deliver Their Payload
3. Chinese facial recognition database tracking Muslims left exposed
4. Android malware HenBox hits Xiaomi devices, Chinese minority group
5. Chinese Hackers Were Spying on Taiwan Prior To Upcoming Elections