In October 2020, during an investigation of a spearphishing campaign targeting the Tibetan community, Recorded Future’s Insikt Group discovered links to an unknown threat activity group previously engaged in activity targeting Taiwanese legislators in May of 2020. Insikt Group identified multiple overlaps between the two campaigns, including the use of the same hosting provider, similar email themes, and the use of Google Drive links to download the same malware variant. In both campaigns, the group used an unreported malware variant which Insikt Group calls MESSAGEMANIFOLD.
While the activity could not be linked to a known threat activity group at this time, the low volume and highly targeted nature of these campaigns against these specific strategic targets align with Chinese interests and previous campaigns.
MESSAGEMANIFOLD Malware
The October 2020 campaign is summarized by analysis of the following two MESSAGEMANIFOLD samples:
The series of spearphishing emails were themed around conference invitations and contained a direct download Google Drive link. In total, there were two Google Drive links used, which downloaded executables named “dalailama-Invitations.exe”. In both cases, the original executable displays a fake Windows error message and drops a second executable to the “C:\Users\Public” folder on the infected device. The dropped files make an HTTP POST request to the command and control (C2) server using the following URI pattern “uu=kw&s=1&i=%&w=%”. It is likely that the malware requires a specific response or file from the C2 server in order to create the next stage. Insikt Group is continuing to investigate these samples to identify the final payload.
Infrastructure and Attribution
In analyzing the malware samples and associated infrastructure, Insikt Group identified close overlaps with activity targeting Taiwanese legislators reported by Taiwan’s Criminal Investigation Bureau and Alienvault in May 2020. Insikt researchers believe that this campaign was very likely conducted by the same threat activity group as the recent Tibetan targeting.
Related to this Taiwan activity, Alienvault researchers also identified a Tibet-themed domain, tibet-office[.]com, indicating the group’s previous interest in Tibetan targeting. All of the domains identified in both campaigns were hosted on AS 42331 (PE Freehost) and AS 42159 (Zemlyaniy Dmitro Leonidovich), which are available to purchase through the Ukrainian hosting provider Deltahost. Per the Start of Authority (SOA) DNS record, both C2 domains were registered using the email address diir.tibet.net@mail[.]ru. Pivoting on this artifact, we were able to identify three additional Tibet-themed domains linked to the same threat activity group, in-tibet[.]net, mail-tibet[.]net, and dalailama[.]online. All five domains were registered through the domain reseller Domenburg.
Insikt Group has not identified overlaps with this activity and any known threat activity groups at this time. However, the targeting of Taiwanese and Tibetan entities aligns with Chinese strategic interests, with many Chinese state-sponsored threat activity groups, including RedAlpha, heavily targeting these entities in the past. Similarly, the targeted nature of these campaigns against entities of high strategic significance coupled with the low volume of activity linked to the group within the public domain is inconsistent with financially-motivated activity.