##### CYBER THREAT ANALYSIS By Insikt Group® **CHINA** November 12, 2024 # China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike **TAG-112 compromised two Tibetan** **This campaign’s malicious** **TAG-112 overlaps with TAG-102** **community websites, likely via** **infrastructure used Cloudflare for** **(Evasive Panda), a Chinese APT group** vulnerable Joomla installations, **name servers, hiding the threat** targeting those opposing the Chinese uploading malicious JavaScript that actor’s IP and complicating attribution government, including human rights downloads Cobalt Strike malware — a technique increasingly observed groups, minorities, academics, and ----- _Note: The analysis cut-off date for this report was October 3, 2024_ ## Executive Summary In late May 2024, at least two websites with ties to the Tibetan community were compromised and modified with malicious JavaScript that spoofed a TLS certificate error page, ultimately triggering a download of Cobalt Strike from external threat actor-controlled infrastructure. Insikt Group identified six Cobalt Strike Beacon samples linked to this activity. The infrastructure used for this campaign implemented Cloudflare protection to obfuscate its origin. As of this writing, the websites remain compromised and host the malicious JavaScript, and portions of the malicious infrastructure likely remain active. This activity was conducted by a Chinese state-sponsored threat actor group we are calling TAG-112. The group is particularly interested in targeting the Tibetan community and has several overlaps with TAG-102 (Evasive Panda). Insikt Group followed responsible disclosure procedures in advance of this publication per Recorded Future's prenotification policy. ## Key Findings - TAG-112 likely compromised the Tibet Post (tibetpost[.]net) and Gyudmed Tantric University (gyudmedtantricuniversity[.]org) websites on or around May 23, 2024. These websites remain compromised as of this writing. - The compromised websites were manipulated to prompt visitors to the sites to download a malicious executable disguised as a “security certificate” that ultimately loaded a Cobalt Strike payload upon execution. - The group likely exploited a vulnerability in the website's content management system, Joomla, to upload the malicious JavaScript. - TAG-112 is likely a subgroup of TAG-102 (Evasive Panda), working toward the same or similar intelligence requirements, mainly focusing on targeting Tibetan entities. Despite these overlaps, Insikt Group is tracking this activity as a separate entity due to the difference in maturity between these campaigns. - [The Tibetan community in exile, along with other religious and ethnic minority groups in China,](https://thediplomat.com/2019/12/community-in-exile-indias-little-tibet/) have long been targets for various Chinese cyber-espionage (advanced persistent threat; APT) [groups (1, 2, 3). Beijing perceives these groups as subversive or separatist elements](https://www.recordedfuture.com/research/redalpha-cyber-campaigns) challenging [Chinese Communist Party (CCP) rule, as well as avenues for foreign influence](https://thediplomat.com/2019/05/where-does-tibet-fit-into-the-us-china-relationship/) or interference in China’s internal affairs. 1 CTA-CN-2024-1112 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Threat Analysis #### Malicious JavaScript Insikt Group was recently made aware of a compromised website with close ties to the Tibetan community. The compromise took place in late May 2024. The threat actors modified a JavaScript file to include a segment of malicious code (see Appendix C). This prompted website visitors to download a malicious executable disguised as a “security certificate” that ultimately loaded a Cobalt Strike Beacon payload. **_Figure 1: Diagram of the observed infection chain (Source: Recorded Future)_** The malicious JavaScript is triggered by the window.onload event. It first checks the user's operating system and web browser type; this is likely to filter out non-Windows operating systems, as this function will terminate the script if Windows isn’t detected. The collected browser information is sent to the TAG-112 domain update[.]maskrisks[.]com via a GET request with the browser type encapsulated in a URL variable, ?type={Chrome or Edge}. This initial request returns a JSON object with a “forbid” boolean used to control the further execution and an HTML template spoof certificate error page that matches the user's browser. If this initial request returns an error, the script exits and does not affect the website. ``` https[:]//update[.]maskrisks[.]com/?type=Chrome https[:]//update[.]maskrisks[.]com/?type=Edge ``` **_Figure 2: URLs used in the initial GET request to return a spoofed HTML template (Source: Recorded Future)_** 2 CTA-CN-2024-1112 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) a malicious executable disguised as a “security certificate” that ultimately loaded a Cobalt Strike Beacon payload. **_Figure 1: Diagram of the observed infection chain (Source: Recorded Future)_** The malicious JavaScript is triggered by the window.onload event. It first checks the user's operating system and web browser type; this is likely to filter out non-Windows operating systems, as this ----- **_Figure 4: Modified Chrome TLS certificate error page (Source:_** _[urlscan)](https://urlscan.io/result/4ae64fcd-c1bc-4e7f-9d21-a4c8f4b89a9a#summary)_ 3 CTA-CN-2024-1112 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- The script replaces three placeholder values in the HTML template: - `<%-- domian --%>[1]` Replaced with location.hostname variable (compromised website domain) - `<%-- downloadURL --%>` Replaced with ${REQUEST_URL}download - https[:]//update[.]maskrisks[.]com/download - `dnspod[.]cn` Replaced with google[.]com The HTML template (see Figure 5) contains an X.509 certificate (SHA256: D0972247C500D2A45F412F9434287161DE395A35EF5B4931CBA12CF513B76962) for the domain _*.dnspod[.]cn and also a Chinese language comment “// 如果错误是由于一个失败的a href请求引起的,则_ 关闭窗口”, which translates to “If the error is caused by a failed a href request, close the window”. These artifacts indicate that the actor who modified this template is likely a Chinese speaker, given the use of a Chinese DNS provider to generate the HTML page and the Chinese-language code comment. This HTML template then overwrites the compromised website code. After a two-second delay, the script triggers an alert with the message “Click to download the security certificate” and automatically clicks a link to the download URL appended to the document body, starting the download of the malicious file, as shown in Figure 6. 1 “domian” is misspelled in both the malicious JavaScript snippet and HTML template. 4 CTA-CN-2024-1112 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- **_Figure 5: X.509 certificate for dnspod[.]cn found in HTML template source code, SHA256:_** _[D0972247C500D2A45F412F9434287161DE395A35EF5B4931CBA12CF513B76962 (Source: Recorded Future)](https://securitytrails.com/app/sb/certificate/d0972247c500d2a45f412f9434287161de395a35ef5b4931cba12cf513b76962)_ 5 CTA-CN-2024-1112 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 6 CTA-CN-2024-1112 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- - _154.90.62[.]12 — Active since at least August 7, 2024_ - _154.90.63[.]166 — Active since at least June 18, 2024_ - _154.205.138[.]202 — Active since at least March 19, 2024_ The apex domain maskrisks[.]com was registered with Namecheap on March 18, 2024. Using Passive DNS data, we identified two additional subdomains: mail[.]maskrisks[.]com and _checkupdate[.]maskrisks[.]com._ 7 CTA-CN-2024-1112 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 8 CTA-CN-2024-1112 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- |Filenames|SHA256|Description| |---|---|---| |Cobalt Strike Samples||| |RPHost.dll|1e42cbe23055e921eff46e 5e6921ff1a20bb903fca83 ea1f1294394c0df3f4cd|C2: http[:]//mail[.]maskrisks[.]com/:443/api/view.php Additional Request: http[:]//update[.]maskrisks[.]com/cache?time=[UNI X Timestamp]| |RPHost.dll|0e306c0836a8ee035ae739 c5adfbe42bd5021e615eba a92f52d5d86fb895651d|| |RPHost.dll|f1f11e52a60e5a446f1eb1 7bb718358def4825342acc 0a41d09a051359a1eb3d|C2: http[:]//mail[.]maskrisks[.]com/:443/api/view.php Additional Request: https[:]//checkupdate[.]maskrisks[.]com/cache?time =[UNIX Timestamp]| |update.dll RPHost.dll|f4ded3a67480a0e2a822af 1e87a727243dea16ac1a3c 0513aec62bff71f06b27|| |RPHost.dll|966d311dcc598922e4ab9c e5524110a8bfd2c6b6db54 0d180829ceb7a7253831|C2: http[:]//mail[.]maskrisks[.]com/:443/api/view.php Additional Request: http[:]//154.205.138[.]202/GetUrl/cache?time=[UNIX Timestamp]| |RPHost.dll|1e7cb19f77206317c8828f 9c3cdee76f2f0ebf7451a6 25641f7d22bb8c61b21b|| |Loaders||| |web_certificate.exe download|8d4049ef70c83a6ead2673 6c1330e2783bdc9708c497 183317fad66b818e44cb|Loads RPHost.dll 1e42cbe23055e921eff46e5e6921ff1a20bb903fca 83ea1f1294394c0df3f4cd| |Web Certificate.msi|e190c7e097a1c38dd45d9c 149e737ad9253b1cabee1c ee7ef080ddf52d1b378c|A legitimate software component from an emulator, “C64 forever”, is used to side-load Cobalt Strike DLL (RPHost.dll).| |eade465c28a69aa17a1816 453ce0d046.virus|31f11b4d81f3ae25b6a01c d1038914f31d045bc4136c 40a6221944ea553d6414|Signed with stolen code-signing certificate: d4938cb5c031ec7f04d73d4e75f5db5c8a5c04ce Loads RPHost.dll f1f11e52a60e5a446f1eb17bb718358def4825342a cc0a41d09a051359a1eb3d| **_Table 1: Cobalt Strike samples using mail[.]maskrisks[.]com for C2 and associated loaders (Source: Recorded Future Malware_** _Intelligence)_ 9 CTA-CN-2024-1112 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Mitigations - Configure intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defense mechanisms in place to alert on — and, upon review, consider blocking connection attempts to and from — the indicators of compromise (IoCs) listed in Appendix A. - Train users to exercise extreme caution when handling files downloaded from untrusted sources, especially those that automatically download without user input. Ensure that users have not configured their systems or applications to automatically execute or open files downloaded from their browser. - Detect and block malicious Cobalt Strike C2 servers in real-time via the [Recorded Future®](https://www.recordedfuture.com/products/threat-intelligence) [Threat Intelligence module.](https://www.recordedfuture.com/products/threat-intelligence) - By monitoring Malicious Traffic Analysis (MTA), Recorded Future clients can be alerted to likely compromised hosts communicating with validated C2 infrastructure, including for Cobalt Strike. 10 CTA-CN-2024-1112 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Outlook This TAG-112 campaign is emblematic of long-established intelligence requirements for Chinese [cyber-espionage operators to gather information on the Tibetan community in exile and organizations](https://thediplomat.com/2019/12/community-in-exile-indias-little-tibet/) involved in Tibetan human rights and/or independence movements. Other ethnic and religious minority groups or affiliated organizations have for years been targeted by numerous Chinese APT groups [(1, 2,](https://www.recordedfuture.com/research/redalpha-cyber-campaigns) [3), as the CCP perceives these groups as](https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf) [subversive or separatist elements](https://www.hrw.org/news/2007/11/09/china-tibetan-faces-baseless-subversion-charges) challenging its rule and as [avenues for foreign influence](https://thediplomat.com/2019/05/where-does-tibet-fit-into-the-us-china-relationship/) or interference into China’s internal affairs. As a result, it is highly likely that TAG-112 and TAG-102 (Evasive Panda), among a myriad of other Chinese APT groups, will continue their targeting of ethnic, religious, and human rights-linked organizations that operate in or have a nexus to China. 11 CTA-CN-2024-1112 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Appendix A — Indicators of Compromise 12 CTA-CN-2024-1112 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Appendix B — MITRE ATT&CK Techniques |Appendix B — MITRE ATT&CK Techniques|Col2| |---|---| |Tactic: Technique|ATT&CK Code| |Resource Development: Acquire Infrastructure: Server|T1583.004| |Resource Development: Acquire Infrastructure: Web Services|T1583.006| |Resource Development: Compromise Infrastructure: Server|T1584.004| |Initial Access: Drive-by Compromise|T1189| |Defense Evasion: Hijack Execution Flow: DLL Side-Loading|T1574.002| 13 CTA-CN-2024-1112 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Appendix C — Malicious JavaScript Snippet 14 CTA-CN-2024-1112 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Appendix D — Diamond Model of Intrusion Analysis 15 CTA-CN-2024-1112 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- _Recorded Future reporting contains expressions of likelihood or probability consistent_ _[with US Intelligence Community Directive (ICD) 203: Analytic Standards (published](https://irp.fas.org/dni/icd/icd-203.pdf)_ _January 2, 2015). Recorded Future reporting also uses confidence level standards_ _[employed by the US Intelligence Community to assess the quality and quantity of the](https://www.dni.gov/files/ODNI/documents/assessments/ICA-declass-16MAR21.pdf)_ _source information supporting our analytic judgments._ _About Insikt Group[®]_ _Recorded Future’s Insikt Group, the company’s threat research division, comprises_ _analysts and security researchers with deep government, law enforcement, military, and_ _intelligence agency experience. Their mission is to produce intelligence that reduces risk_ _for clients, enables tangible outcomes, and prevents business disruption._ _About Recorded Future[®]_ _Recorded Future is the world’s largest threat intelligence company. Recorded Future’s_ _Intelligence Cloud provides end-to-end intelligence across adversaries, infrastructure,_ _and targets. Indexing the internet across the open web, dark web, and technical_ _sources, Recorded Future provides real-time visibility into an expanding attack surface_ _and threat landscape, empowering clients to act with speed and confidence to reduce_ _risk and securely drive business forward. Headquartered in Boston with offices and_ _employees around the world, Recorded Future works with over 1,800 businesses and_ _government organizations across more than 75 countries to provide real-time, unbiased,_ _and actionable intelligence._ _employees around the world, Recorded Future works with over 1,800 businesses and_ _government organizations across more than 75 countries to provide real-time, unbiased,_ _and actionable intelligence._ _Learn more at recordedfuture.com_ 16 CTA-CN-2024-1112 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) -----