A Chinese-linked nation-state group called TAG-112 has compromised Tibetan media and university websites as part of a new cyberespionage campaign designed to facilitate the delivery of post-exploitation Cobalt Strike toolkits for later intelligence gathering.
“The attackers embedded malicious JavaScript into these sites that falsified a TLS certificate error to force visitors to download a disguised security certificate,” Recorded Future’s Insikt Group said.
“This malware, which is often used by threat actors for remote access and post-exploitation, highlights the continued focus of cyber espionage on Tibetan organizations.”
The compromises were attributed to a state-sponsored threat group called TAG-112, which was described as a possible subset of another cluster tracked as The elusive panda (aka Bronze Highland, Daggerfly, StormBamboo and TAG-102) due to tactical overlap and their historical targeting of Tibetan entities.
Two Tibetan community websites that were hacked by a hostile team in late May 2024 are Tibet Post (tibetpost(.)net) and Gyudmed Tantric University (gyudmedtantricuniversity(.)org).
Specifically, it was found that compromised websites were manipulated to force visitors to download a malicious executable disguised as a “security certificate” that downloaded the Cobalt Strike payload upon execution.
The JavaScript that made this possible is said to have been uploaded to the sites, likely exploiting a security vulnerability in their Joomla content management system.
“Malicious JavaScript is triggered by the window.onload event,” Recorded Future reports. “First it checks the user’s operating system and web browser type; this will likely filter out non-Windows operating systems, as this feature will stop the script from running if Windows is not detected.”
The browser information (such as Google Chrome or Microsoft Edge) is then sent to a remote server (update.maskrisks(.)com), which sends back an HTML template that is a modified version of the respective browser TLS certificate error page is usually displayed when there is a problem with the host’s TLS certificate.
The JavaScript, in addition to displaying a fake security certificate warning, automatically triggers the download of the supposed security certificate for the *.dnspod(.)cn domain, but is actually a legitimate signed executable that loads the Cobalt Strike Beacon payload using a DLL. side loading.
At this point, it should be noted that the Tibet Post website has been separately infiltrated by an actor from Evasive Panda in connection with a watering hole and supply chain attack targeting Tibetan users since at least September 2023. The attacks led to the deployment of backdoors known as MgBot and Nightdoor by ESET revealed earlier this March.
Despite this significant tactical crossover, Recorded Future stated that they are keeping different sets of invasions due to the “difference in maturity” between them.
“The activity seen by TAG-112 lacks the sophistication seen by TAG-102,” it said. “For example, TAG-112 does not use JavaScript obfuscation and uses Cobalt Strike, while TAG-102 uses special malware. TAG-112 is likely a subset of TAG-102 operating under the same or similar intelligence requirements.’
