China-Linked TAG-112 Targets Tibetan Media with Cobalt Strike Espionage Campaign

A China-linked nation-state group called TAG-112 compromised Tibetan media and university websites in a new cyber espionage campaign designed to facilitate the delivery of the Cobalt Strike post-exploitation toolkit for follow-on information collection.

"The attackers embedded malicious JavaScript in these sites, which spoofed a TLS certificate error to trick visitors into downloading a disguised security certificate," Recorded Future's Insikt Group said.

"This malware, often used by threat actors for remote access and post-exploitation, highlights a continued cyber-espionage focus on Tibetan entities."

The compromises have been pinned on a state-sponsored threat group called TAG-112, which has been described as a possible sub-group of another cluster tracked as Evasive Panda (aka Bronze Highland, Daggerfly, StormBamboo, and TAG-102) owing to tactical overlaps and their historical targeting of Tibetan entities.

The two Tibetan community websites that were breached by the adversarial collective in late May 2024 were Tibet Post (tibetpost[.]net) and Gyudmed Tantric University (gyudmedtantricuniversity[.]org).

Specifically, it has been found that the compromised websites were manipulated to prompt visitors to the sites to download a malicious executable disguised as a "security certificate" that loaded a Cobalt Strike payload upon execution.

The JavaScript that made this possible is said to have been uploaded to the sites likely using a security vulnerability in their content management system, Joomla.

"The malicious JavaScript is triggered by the window.onload event," Recorded Future said. "It first checks the user's operating system and web browser type; this is likely to filter out non-Windows operating systems, as this function will terminate the script if Windows isn't detected."

The browser information (i.e., Google Chrome or Microsoft Edge) is then sent to a remote server (update.maskrisks[.]com), which sends back a HTML template that's a modified version of the respective browser's TLS certificate error page that's usually displayed when there is a problem with the host's TLS certificate.

The JavaScript, besides displaying the fake security certificate alert, automatically starts the download of a supposed security certificate for the domain *.dnspod[.]cn, but, in reality, is a legitimate signed executable that sideloads a Cobalt Strike Beacon payload using DLL side-loading.

It's worth pointing out at this stage that the website for Tibet Post was separately infiltrated by the Evasive Panda actor in connection with a watering hole and supply chain attack targeting Tibetan users at least since September 2023. The attacks led to the deployment of backdoors known as MgBot and Nightdoor, ESET revealed earlier this March.

Despite this significant tactical intersection, Recorded Future said it's keeping the two intrusion sets disparate owing to the "difference in maturity" between them.

"The activity observed by TAG-112 lacks the sophistication seen by TAG-102," it said. "For example, TAG-112 does not use JavaScript obfuscation and employs Cobalt Strike, while TAG-102 leverages custom malware. TAG-112 is likely a subgroup of TAG-102, working toward the same or similar intelligence requirements."