A spear-phishing campaign has been targeting the Tibetan community, and the threat actors are suspected to be involved in cyberattacks targeting Taiwanese legislators in May 2020. The group is using an unreported malware identified as MESSAGEMANIFOLD.
The recent campaigns attacked strategic targets that somehow align with Chinese affairs.
- Attackers reportedly used spear-phishing emails themed about conference invitations and included a direct download Google Drive link. There were two Google Drive links, which downloaded the “dalailama-Invitations[.]exe” file.
- In both campaigns, the original executable showed as a fake Windows error message and dropped a second executable to the “C:\Users\Public” folder on the compromised device.
A close overlap has been identified between a malicious activity previously targeting Taiwanese legislators and a recent campaign. It is possible that the same threat group was behind both the campaign targeting Tibetan and Taiwanese.
- The dropped files used HTTP POST requests to communicate with the command and control server using a fixed URI pattern, because the malware needed a specific response for the next stage.
- All of the domains used in both campaigns were hosted on AS 42159 (Zemlyaniy Dmitro Leonidovich) and AS 42331 (PE Freehost). These domains are available to purchase at Deltahost, a Ukrainian hosting provider.
Attacks on Taiwanese and Tibetan entities are not new and China-based threat actors actively target them according to their government interests.
- Recently, IBM revealed an email phishing scheme targeting coronavirus vaccine supply chains located in the Czech Republic, Italy, Germany, South Korea, Greater Europe, and Taiwan.
- Last month, WHO faced a barrage of cyberattacks by online activists for using keywords such as ‘Taiwan’ and ‘China,’ after Taiwan’s government was censored on the WHO’s Facebook page.
Specifically targeting Tibetan and Taiwanese entities aligned with Chinese interests and more attacks could be observed in a short period of time. Thus, experts suggest not to open attachments from unknown email accounts, and use a reliable anti-malware solution.