Several other overlaps have also been noted between both the activities, including the application of the same email themes and identical hosting provider. Furthermore, both the campaigns made use of Google Drive links for downloading the malware.
The campaigners are attacking strategic targets that somehow align with the Chinese Government’s affairs. The threat actors used spear-phishing emails with the theme ‘conference invitations’, which included a direct download Google Drive link. According to the researchers two Google Drive links were there, with the name “dalailama-Invitations [.]exe” file.
About the Attacks
The dropped files (HTTP POST) were being used for the requests to communicate with the control and command server which uses a fixed URL pattern, and for the next stage, malware needs a specific response. Those domains were being used in both campaigns were organized on AS 42159 (Zemlyaniy Dmitro Leonidovich) and AS 42331 (PE Freehost).
Recent cyberattacks on Taiwanese and Tibetan entities don’t come as a surprise, it has been observed that Beijing-based malicious actors actively attack these states in accordance with their state interests. A recent study at IBM disclosed that an email phishing scheme attacking Germany and Italy based COVID-19 vaccine supply chains. Other targets included the Czech Republic and South Korea amid a few more.
Given the highly customized nature of the attacks against particular targets chosen strategically, the activity could possibly be aligned with Chinese nation-backed attackers; however, as of now, the campaigns could not be affiliated to a recognized cyber threat group. Therefore, experts have recommended employing a trustworthy anti-malware solution. Users are also advised to avoid opening attachments from anonymous sources.