March 7, 2024 at 05:37AM
A targeted cyber-attack linked to the Evasive Panda hacking team infected visitors to a Buddhism festival website and users of a Tibetan language translation app. The group’s campaign affected systems in India, Taiwan, Australia, the United States, and Hong Kong. Evasive Panda is known for supply chain attacks and has targeted individuals and organizations in Asia and Africa.
Based on the meeting notes, the major takeaways are:
1. A targeted watering-hole cyberattack, associated with the Evasive Panda hacking group, infected visitors to a Buddhism festival website and users of a Tibetan language translation application.
2. The attack campaign, which began in September 2023 or earlier, affected systems in India, Taiwan, Australia, the United States, and Hong Kong.
3. The attackers compromised the websites of an India-based organization promoting Tibetan Buddhism, a development company producing Tibetan language translation, and the news website Tibetpost, which then unknowingly hosted malicious programs.
4. The attackers executed a variety of attack vectors including an adversary-in-the-middle (AitM) attack via a software update, exploiting a development server, a watering hole, and phishing emails.
5. Evasive Panda is a relatively small team focused on the surveillance of individuals and organizations in Asia and Africa, and it’s associated with attacks on telecommunications firms in 2023, known as Operation Tainted Love by SentinelOne, and attributed to the group Granite Typhoon, née Gallium, per Microsoft, and also known as Daggerfly by Symantec, and is associated with a cybercriminal and espionage group known by Google Mandiant as APT41.
6. Evasive Panda has targeted individuals within China and has compromised government agencies in China, Macao, and Southeast and East Asian nations.
7. The group also targeted users by compromising a developer of Tibetan translation software with Trojanized applications to infect both Windows and Mac OS systems.
8. Evasive Panda has developed its own custom malware framework, MgBot, that implements a modular architecture and has the ability to download additional components, execute code, and steal data.
9. Nightdoor, a backdoor introduced by the group in 2020, communicates with a command-and-control server to issue commands, upload data, and create a reverse shell.
These takeaways provide a clear overview of the nature and impact of the cyberattack, as well as the tactics and tools used by the Evasive Panda group.