Rewterz Threat Alert – Tibetan Users Targeted by Evasive Panda APT with Supply Chain Attacks – Active IOCs

Severity

High

Analysis Summary

The state-backed Chinese threat actor tracked as Evasive Panda has been launching supply chain and watering hole attacks on Tibetan users since at least September 2023 to deliver malicious downloaders that deploy a backdoor named MgBot and a Windows implant called Nightdoor.

“The attackers aimed to deploy malicious downloaders for Windows and macOS to compromise website visitors with MgBot and a backdoor that, to the best of our knowledge, has not been publicly documented yet; we have named it Nightdoor,” reported the security analysts.

It has come to light that the threat actors have compromised at least three websites to perform watering hole and supply chain attacks on a Tibetan software company. This cyber operation was uncovered in January 2024. The threat group, Evasive Panda (aka Bronze Highland and Daggerfly), has been active since 2012 but was reported by a cybersecurity firm in April 2023 when it targeted an international non-governmental organization (NGO) using MgBot in Mainland China. Another report linked the APT group to a cyber-espionage campaign focused on infiltrating African telecommunication service providers since November 2022.

The latest attack shows the strategic compromise of the Kagyu International Monlam Trust’s website in which the threat group deployed a script in the website that verifies IP addresses of potential victims. Once a victim is identified, it shows a fake error page to lure the unsuspecting user to download a “fix” that is named certificate. This file is a malicious downloader responsible for deploying the next stage in the attack chain.

The IP address performs a check that implies that the attack is designed to specifically target users in Taiwan, India, Australia, Hong Kong, and the U.S. Researchers suspect that Evasive Panda also capitalized on the Kagyu Monlam Festival that takes place in India every year in later January and February 2024 to target the Tibetan community in various territories and countries. The executable file is named “certificate.exe” on Windows and “certificate.pkg” on macOS. It is used as a Launchpad to load the Nightdoor implant, which later exploits the Google Drive API for command-and-control (C2) purposes.

Additionally, the campaign infiltrates an Indian software company’s website and supply chain to propagate Trojan-laden Windows and macOS installers of software that translates Tibetan language. This breach happened in September 2023. These threat actors have also exploited a Tibetan news website “Tibetpost” to host payloads obtained by malicious installations, such as two fully featured backdoors for Windows and an unknown amount of payloads for macOS.

The trojanized Windows installer is responsible for triggering an advanced multi-staged attack sequence that either drops Nightdoor or MgBot. The backdoor displays many features like harvesting system information, a list of installed apps and running processes, performing file operations, spawning a reverse shell, and uninstalling itself from the infected system. The group has multiple droppers, downloaders, and backdoors in its arsenal, and is focused on adding more sophisticated tools to target various networks in East Asia.

Impact

• Cyber Espionage
• Unauthorized Access
• Exposure to Sensitive Data

Indicators of Compromise

MD5

• 9f27e0798271b590a01463d4543df2ea
• 4c504e0ef91fc66a6d6c4e3d6b10fa18
• d93af224d9e9a5172bb9ba5104e24a45
• eef23748ed175760f9c70871252a11f3

SHA-256

• 419311167faeee927763b67ce00dbd4491f18bb0dbac9236621faec9e6422fa9
• 88b0ee7273a91d92c3570dbc67896e15b53ca118d2b45e49a3489605cc26bf24
• 3e92f35c3818be05033b9f6716fe4fc30d5a68f6e412422ad7c68c85d4451ae4
• a0fe56ec6eb5cc433fdc9e3537e49b45c90ffe8df409a0f1b5844bc253d209ba

SHA-1

• 0a88c3b4709287f70ca2549a29353a804681ca78
• fa44028115912c95b5efb43218f3c7237d5c349f
• 5e5274c7d931c1165aa592cdc3bfceb4649f1ff7
• 8a389afe1f85f83e340ca9dfc0005d904799d44c

Domain Name

• update.devicebug.com

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Ensure that all software, particularly those from third-party vendors, are obtained from trusted sources and that updates are obtained from the vendor’s official website or app store.
• Conduct regular security assessments and audits of all software, especially those that handle sensitive data, to detect any suspicious activities.
• Implement multi-factor authentication and strong password policies to prevent unauthorized access to sensitive systems and data.
• Train employees on best practices for identifying and reporting suspicious activities, such as phishing emails or unusual network traffic.
• Deploy endpoint protection solutions with advanced threat detection capabilities to identify and block any malicious activities.
• Implement network segmentation and access controls to limit the spread of malware in case of a successful attack.
• Monitor network traffic and system logs to detect any unusual or suspicious activities, such as unauthorized file transfers or unusual process execution.
• Develop an incident response plan that outlines the steps to be taken in case of a successful attack, including how to isolate and contain the affected systems and how to communicate with stakeholders, such as customers and regulatory bodies.

By implementing these measures, organizations can reduce their risk of falling victim to a supply chain attack like the one used by the Evasive Panda APT group. Additionally, it is essential to stay up-to-date with the latest security trends and threat intelligence and to continuously adapt and improve security measures to stay ahead of evolving threats.