Cyber Security News

China-Nexus Actors Hijack Websites to Deliver Cobalt Strike malware

A Chinese state-sponsored threat group, identified as TAG-112, has been discovered hijacking Tibetan community websites to deliver Cobalt Strike malware, according to a recent investigation by Recorded Future’s Insikt Group.

According to a report from Recorded Future, the investigation revealed that TAG-112 compromised at least two websites belonging to Tibetan organizations: Tibet Post (tibetpost[.]net) and Gyudmed Tantric University (gyudmedtantricuniversity[.]org).

The attackers exploited vulnerabilities in the Joomla content management system (CMS), embedding malicious code that would deceive visitors into downloading malware disguised as a security certificate.

This incident marks a significant escalation in cyber-espionage activities targeting Tibetan communities and organizations.

Cobalt Strike, a legitimate penetration testing tool often misused by cybercriminals, allows attackers to remotely control infected systems, furthering espionage efforts.

Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)

Attack Mechanism: Spoofed TLS Error and Malicious JavaScript

TAG-112’s attack begins when a user visits one of the compromised websites. Embedded within the site is a malicious JavaScript that detects the user’s operating system and browser.

If compatible, the user is redirected to a domain controlled by TAG-112, where they are presented with a fake Google Chrome TLS certificate error.

This spoofed error page tricks users into downloading what appears to be a security certificate. In reality, this download deploys Cobalt Strike, granting TAG-112 remote access to the victim’s system for further espionage and data collection.

The attackers likely gained access to the Tibetan websites via unpatched vulnerabilities in Joomla, a widely used CMS.

Weaknesses in outdated Joomla installations allowed TAG-112 to inject malicious JavaScript into the sites, a tactic that has remained active at least until early October 2024.

TAG-112 shares infrastructure and tactics with TAG-102, also known as Evasive Panda, another Chinese state-sponsored group known for targeting Tibetan entities.

However, TAG-112 operates with less sophistication, relying on publicly available tools like Cobalt Strike instead of developing custom malware.

To defend against this ongoing threat, cybersecurity experts recommend:

  • Intrusion Detection: Deploy systems to monitor indicators of compromise related to TAG-112.
  • User Awareness: Educate users about the risks of downloading files from untrusted sources.
  • Cobalt Strike Detection: Employ real-time monitoring to detect communication with known Cobalt Strike command-and-control servers.

This latest campaign underscores the Chinese government’s persistent efforts to surveil and control groups it perceives as threats, such as the Tibetan community.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as "GruesomeLarch"…

1 day ago

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by Egypt-based…

2 days ago

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in Central…

2 days ago

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India,…

2 days ago

Raspberry Robin Employs TOR Network For C2 Servers Communication

Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection…

2 days ago

145,000 ICS Systems, Thousands of HMIs Exposed to Cyber Attacks

Critical infrastructure, the lifeblood of modern society, is under increasing threat as a new report…

2 days ago