China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike
Nov. 13, 2024, 9:28 a.m.
Tags
External References
Description
A Chinese state-sponsored threat group, TAG-112, has compromised two Tibetan websites to deliver Cobalt Strike malware. The attackers embedded malicious JavaScript in the sites, spoofing a TLS certificate error to trick visitors into downloading a disguised security certificate. This campaign highlights ongoing cyber-espionage efforts targeting Tibetan entities. TAG-112's infrastructure, hidden using Cloudflare, links this operation to other China-sponsored activities, particularly TAG-102 (Evasive Panda). The group exploited vulnerabilities in the Joomla content management system to implant the malicious code. This attack demonstrates the continued focus of Chinese cyber operations on ethnic and religious minority groups, emphasizing the need for proactive cybersecurity measures.
Date
Published: Nov. 13, 2024, 4:45 a.m.
Created: Nov. 13, 2024, 4:45 a.m.
Modified: Nov. 13, 2024, 9:28 a.m.
Indicators
31f11b4d81f3ae25b6a01cd1038914f31d045bc4136c40a6221944ea553d6414
f4ded3a67480a0e2a822af1e87a727243dea16ac1a3c0513aec62bff71f06b27
f1f11e52a60e5a446f1eb17bb718358def4825342acc0a41d09a051359a1eb3d
d0972247c500d2a45f412f9434287161de395a35ef5b4931cba12cf513b76962
966d311dcc598922e4ab9ce5524110a8bfd2c6b6db540d180829ceb7a7253831
94569f64f62eff185ba47e991dba54bdeea6d1a9e205d6bec767be6a864e4efb
8d4049ef70c83a6ead26736c1330e2783bdc9708c497183317fad66b818e44cb
1e7cb19f77206317c8828f9c3cdee76f2f0ebf7451a625641f7d22bb8c61b21b
1e42cbe23055e921eff46e5e6921ff1a20bb903fca83ea1f1294394c0df3f4cd
0e306c0836a8ee035ae739c5adfbe42bd5021e615ebaa92f52d5d86fb895651d
154.90.63.166
154.205.138.202
154.90.62.12
update.maskrisks.com
mail.maskrisks.com
checkupdate.maskrisks.com
maskrisks.com
gyudmedtantricuniversity.org
tibetpost.net
Attack Patterns
Cobalt Strike - S0154
TAG-112
T1568
T1583.001
T1583.003
T1189
T1071
T1102
T1204
T1132
T1190
T1133
T1059
Additional Informations
China