Full Report
China-based TAG-112 exploited Tibetan sites to spread Cobalt Strike malware. Recorded Future reveals targeted threats by state-sponsored actors.
Analysis Summary
# Threat Actor: TAG-112 (Identified as activity linked to Chinese state-sponsorship)
## Attribution & Identity
The actor is described as a **Chinese state-sponsored threat group**, designated as **TAG-112** by the reporting source. No specific operational group names are provided beyond the internal tracking tag.
## Activity Summary
The group recently conducted a cyber-espionage campaign targeting Tibetan entities. This involved compromising two specific websites: **Tibet Post** (`tibetpost[.]net`) and **Gyudmed Tantric University** (`gyudmedtantricuniversity[.]org`). The method used was embedding malicious JavaScript in these sites to trick visitors into downloading a disguised security certificate, which ultimately deployed the **Cobalt Strike** malware. This activity highlights a focus on cyber-espionage against Tibetan interests.
## Tactics, Techniques & Procedures
- **Initial Access:** Drive-by Compromise (via compromised legitimate websites).
- **Execution/Delivery:** Embedding malicious JavaScript in website files (`custom.js` and `jquery.blueimp-gallery.full.js`).
- **Defense Evasion/Deception:** Spoofing a TLS certificate error to socially engineer visitors into downloading the malicious payload disguised as a security certificate.
- **Post-Exploitation:** Deployment of Cobalt Strike for remote access and post-exploitation activities.
- **Resource Development:** Acquiring and compromising infrastructure (servers, web services).
*Specific MITRE ATT&CK IDs were not fully provided, but the tactics listed correlate to:*
- Initial Access: Drive-by Compromise (T1189)
- Defense Evasion: Hijack Execution Flow: DLL Side-Loading (*)
- Resource Development: Acquire Infrastructure: Server (TXltx.x.x.x - Placeholder)
- Resource Development: Acquire Infrastructure: Web Services (TXltx.x.x.x - Placeholder)
- Resource Development: Compromise Infrastructure: Server (TXltx.x.x.x - Placeholder)
## Targeting
- **Sectors:** Media/News (Tibet Post) and Education/Religious Institution (Gyudmed Tantric University). Generally focused on **Tibetan entities**.
- **Geography:** Not explicitly stated for the victim locations, but the context implies organizations related to the Tibetan community.
- **Victims:** Tibet Post (`tibetpost[.]net`) and Gyudmed Tantric University (`gyudmedtantricuniversity[.]org`).
## Tools & Infrastructure
- **Malware families used:** **Cobalt Strike**.
- **Infrastructure:**
- **C2 Domains:** `maskrisks[.]com`, `mail[.]maskrisks[.]com`, `update[.]maskrisks[.]com`, `checkupdate[.]maskrisks[.]com`.
- **C2 IP Addresses:** `154.90.62[.]12`, `154.90.63[.]166`, `154.205.138[.]202`.
- **Certificates Used/Associated:** Stolen code-signing certificate (KP MOBILE) and various others linked to the C2 infrastructure.
## Implications
The use of sophisticated techniques involving website compromise and social engineering (TLS spoofing) indicates a mature, well-resourced state-sponsored actor dedicated to cyber-espionage against politically sensitive communities like the Tibetan diaspora. The primary objective is establishing remote persistent access (via Cobalt Strike) for intelligence gathering within these targeted organizations.
## Mitigations
- Implement stringent auditing and monitoring of website code, especially JavaScript files loaded from third-party vendors or administrative panels, for unauthorized modifications.
- Security awareness training is crucial, focusing on educating users to be highly suspicious of unexpected security warnings or required certificate installations presented by websites.
- Isolate or block outbound connections to the identified C2 domains and IP addresses.
- Enhance endpoint security to detect and block the execution of Cobalt Strike beacons.
- Regularly verify the integrity of code-signing certificates if applicable, though this campaign suggests the use of stolen CAs.