Evasive Panda Cyber Attacks: Threat Actor Targets Tibetans
Cybersecurity experts at ESET have come across a malicious campaign that targets Tibetans in many countries by leveraging the website of a religious gathering. Evasive Panda cyber attacks are associated with a China-linked Advanced Persistent Threat (APT) actor.
The development comes days after the MoqHao cybersecurity threat that was also linked to Chinese hackers belonging to Roaming Mantis. The website of the Monlam Festival, the annual religious event, was compromised by adding malicious code to create a watering-hole attack. The target audience of the Evasive Panda cyber attacks was located in Hong Kong, India, Australia, Taiwan, and the United States.
In this article, we will go into detail of the watering hole attacks and supply chain cyber-attacks by Evasive Panda and the cyber espionage techniques used by this advanced persistent threat (APT) actor.
Evasive Panda Background
Evasive Panda has been on the scene since 2012. The advanced persistent threat (APT) group is linked with the Chinese government and has conducted several attacks on government entities in the Philippines, Taiwan, Myanmar, and Vietnam. These Evasive Panda cyber attacks aligned with the geopolitical interests of China.
Cyber Espionage Techniques by Evasive Panda
The cyber espionage campaign started last September and targets Tibetans with corrupted language translation software. This software is compatible with both Windows and macOS. Apart from the software, these cyber attacks also include the compromise of the website of a religious gathering, which happens in India every year.
The reason why researchers were able to link the cyber attacks to China-linked hackers is because the malware tactics of Evasive Panda matched their earlier attacks on networks in East Asia. The researchers said that the intention of Evasive Panda was most likely to take advantage of the Monlam festival which occurs in Bodhgaya, India.
Evasive Panda Cyber Attacks Uncovered
A Tibetan language translation software developed by an Indian software house was also attacked and compromised by Evasive Panda. The end goal of these attacks is to deploy a backdoor which is called MgBot or Nightdoor through malicious downloaders.
ESET’s cybersecurity experts said that at least three websites were attacked and compromised by the Evasive Panda attackers for the purpose of carrying out supply chain cyber-attacks and watering hole attacks.
Two executables are used as launchpads for Evasive Panda cyber attacks: “certificate.exe” for Windows and “certificate.pkg” for macOS. These executables help load the Nightdoor implant that abuses the Google Drive API. The backdoor has the ability to collect information and perform file operations.
Conclusion
Cyberattacks are rising and are becoming more complex with each passing day and the Evasive Panda cyber attacks are the latest on the list. Falling prey to such cyberattacks can have drastic consequences like reputational and monetary damage. Given this, organizations are recommended to implement proactive cybersecurity measures to safeguard against such attacks and improve their security posture.
The sources for this piece include articles in The Hacker News and The Record.