The Tibetan community has come under cyber attacks from a China-linked espionage group as part of campaigns leading up to the Dalai Lama's 90th birthday. Named Operation GhostChat and Operation PhantomPrayers, these multi-stage attacks involved compromising a legitimate website to install the Gh0st RAT or PhantomNet backdoor on victims' devices. Hacking groups have regularly utilized watering hole attacks to target the Tibetan diaspora for sensitive information. The recent attacks replaced a legitimate web link with a fraudulent one linked to a fake secure chat application designed to steal user data.
The attackers compromised a legitimate website, redirecting users via a malicious link and ultimately installing either the Gh0st RAT or PhantomNet (aka SManager) backdoor onto victim systems.
Over the past two years, hacking groups like EvilBamboo, Evasive Panda, and TAG-112 have all resorted to the approach to target the Tibetan diaspora with the ultimate goal of gathering sensitive information.
The latest set of attacks observed by Zscaler entails the compromise of a web page to replace the link pointing to "tibetfund[.]org/90thbirthday" with a fraudulent version ("thedalailama90.niccenter[.]net").
Hosted on the website is a backdoored version of the open-source encrypted chat software containing a malicious DLL that's sideloaded to launch Gh0st RAT, a remote access trojan widely used by various Chinese hacking groups.
Collection
[
|
...
]