A state-sponsored hacker group in China, known as TAG-112, has been found attacking two Tibetan community websites to distribute Cobalt Strike malware. TAG-112 infiltrated the websites of Gyudmed Tantric University and Tibet Post, a Tibetan media advocating democracy and the freedom of expression, planting malicious JavaScript within the victims’ websites. The JavaScript disguised itself as a fake TLS certificate error, luring visitors to download a “security certificate”. In this article, we discuss TAG-112’s malware distribution tactics, which exploit Cobalt Strike. We analyze the domains used in the attack with Criminal IP and provide a response plan based on frequently asked questions (FAQs).
Key Takeaways
The recent TAG-112 attack involved the misuse of Cobalt Strike, a legitimate penetration testing tool. It took the quintessential form of a social engineering attack, masking itself as a “certificate” based on website vulnerability and manipulating users into downloading malware by their own hands. This attack structure reflects the complex evolution of modern hacking schemes, which often incorporate legitimate tools and as a result, make it harder to recognize an attack. At the same time, it highlights the growing need for securing website vulnerability. As attacks increasingly target website vulnerabilities, website owners are advised to prioritize preemptive defenses such as attack surface management and threat intelligence.
Breaking Down TAG-112 Malware Distribution Attack in 3 Stages
Joomla CMS Security Flaw Exploited for Cobalt Strike Malware Spread
In the recent incident, TAG-112 is believed to have exploited vulnerabilities in the Joomla content management system (CMS) to upload malicious JavaScript files. The script first checks compatibility with Windows operating systems and specific browsers before attempting a connection to TAG-112’s Command & Control (C2) domain, update[.]maskrisks[.]com. Once the user initiates the download, a tempered version of Cobalt Strike is installed. The tool, originally designed for the red team, is often favored by the attackers for gaining remote access and command execution.
Abuse of Cloudflare and Multiple Domains With C2 Server Connections
TAG-112 employs advanced camouflage techniques to conceal its infrastructure, for instance, using Cloudflare to mask server IP addresses. Multiple IP addresses linked to the group’s C2 server have been active since March 2024; its main domain, maskrisks[.]com was registered via Namecheap. Subdomains (mail[.]maskrisks[.]com, checkupdate[.]maskrisks[.]com, etc.) were added to enhance operational flexibility. As illustrated in this case, hackers often use multiple IP addresses and subdomains connected to their C2 server to avoid detection and ensure the stability of their attacks. The abundance of subdomains often makes them difficult to identify, but threat intelligence tools can help effectively detect and link the related domains.
Mapping the Relationship Between the Domains Used in the TAG-112 Attack
The primary domain of TAG-112, maskrisks[.]com, was used in the attack, along with its Command & Control (C2) domain, update[.]maskrisks[.]com. Subdomains such as mail[.]maskrisks[.]com and checkupdate[.]maskrisks[.]com, mentioned earlier in the text, were also utilized in the attack. Let’s analyze the threat components and commonalities of the domains using Criminal IP. Below are the links to the Domain Search reports for each address.
- maskrisks[.]com: https://www.criminalip.io/domain/report?scan_id=16861653
- update[.]maskrisks[.]com: https://www.criminalip.io/domain/report?scan_id=16862332
- checkupdate[.]maskrisks[.]com: https://www.criminalip.io/domain/report?scan_id=16862225
The commonalities found across the 3 domains are summarized below:
On the left-hand side of the report summary, we see that the probability of phishing URL for each domain is high, all exceeding 99%. Threat components were discovered in HTML and favicon as well, indicating that those are dangerous domains.
In the domain details at the bottom of the report, we can see that the domains all have one thing in common; they were created on March 18, 2024, and were registered by NameCheap. In the Connected IP Information, we can also see that these domains are all associated with one or two Cloudflarenet-owned IP addresses, 104[.]21[.]x[.]xx and 172[.]67[.]xxx[.]xxx.
The Asset Search report for this IP shows it has three instances of abuse—twice in 2024 and once in 2021—and is associated with 29 domains. Real IP information, further on, shows that there have been several evasion attempts with this IP address.
Identifying C2 Server IP Addresses Compromised by Cobalt Strike Malware
Let’s search for assets related to the Cobalt Strike in Criminal IP’s Asset Search.
Query: tag: “Cobalt Strike”
As emphasized earlier, despite being a legitimate tool, Cobalt Strike remains a potential threat due to its continued abuse by attackers to evade detection. Furthermore, as seen in the TAG-112 case, when Cobalt Strike is exploited in conjunction with a C2 server for malware distribution, it can enable remote control by attackers. Criminal IP makes it simple to detect C2 servers infected by Cobalt Strike malware. By linking its API to firewalls or other security tools, you can automate blocking C2 IPs compromised by Cobalt Strike malware.
Frequently Asked Questions (FAQs)
Q1. What is Cobalt Strike?
Cobalt Strike itself is a tool designed for commercial penetration testing purposes, but it has been widely exploited by several ransomware groups, causing damage on a national security scale. As such, it is commonly categorized as a major threat in hacking and phishing operations. When misused, attackers typically distribute Cobalt Strike malware via botnets and proceed with ransomware or PC infection attacks.
Q2. What is TAG-112?
TAG-112, a Chinese state-sponsored hacker group, recently gained attention for its attack on Tibetan websites. This newly identified group shares several operational and structural similarities with TAG-102 (Evasive Panda), suggesting a continued, likely government-backed, interest in surveilling Tibet and other ethnic minorities. While TAG-102 employs custom malware and code obfuscation techniques, TAG-112 relies on commercially available tools like Cobalt Strike, implying that it may be a less experienced subgroup of Evasive Panda.
You can find details about TAG-112 in Criminal IP using the search feature on the Hacking group (Actors) page. (Available with Pro Plan and above) The following is a summary card for TAG-112. Clicking on it will take you to an in-depth report where you can view IOC, TTP, IOA, and CVE information related to TAG-112.
- IOC (Indicator of Compromise): An indicator or trace indicating malicious activity.
- TTP (Tactics, Techniques, and Procedures): Strategies, methods, and procedures used in cyber attacks.
- IOA (Indicator of Attack): An indicator that an attack is in progress.
- CVE (Common Vulnerabilities and Exposures): A unique identifier for known security vulnerabilities.
Q3. What security measures can I take to protect my website from Cobalt Strike attacks?
To prevent attacks using widely adopted tools like Cobalt Strike and website vulnerabilities, managing your organization’s ‘attack surface’ is pivotal. The ‘attack surface’ encompasses all potential entryways where an attacker could attempt to gain access to a system, including the exposed digital assets. In other words, ‘Attack Surface Management (ASM)’ involves identifying and securing these entry points to curb the risk.
Given this understanding, incorporating an attack surface management solution becomes a practical and cost-effective security strategy, especially for teams with limited resources. According to IBM’s 2024 Data Breach Report, organizations that integrated ASM solutions into their workflows saved an average of $2.2 million compared to those that did not. Given that organizations facing a shortage of security staff incur an additional average cost of $1.76 million in the event of a data breach, this demonstrates that attack surface management not only fills security gaps but also presents a worthwhile investment. Criminal IP’s Attack Surface Management (ASM) solution combines AI and machine learning to automate the analysis and monitoring of an organization’s attack surface, offering a distinctive system that enhances accuracy.
Q4. When an IP address is concealed by services such as Cloudflare, how can I figure it out?
After querying a suspicious IP address in Criminal IP’s Asset Search, you can view the Real IP information under the Intelligence section in the report summary. If the IP address is used for evasion, this section will be marked as ‘True,’ and hovering over it will reveal a list of IP addresses identified as the actual IPs.
Summary
TAG-112 is a Chinese-backed hacker group that has used a combination of tactics in recent attacks:
- Abuse of Cobalt Strike, a legitimate penetration testing tool
- Concealment of IP addresses via Cloudflare
- Exploitation of CMS (content management systems) vulnerabilities
- Spoofing security certificates such as TLS (social engineering techniques)
An analysis of the domains used in the TAG-112 attack highlights the need for a more proactive approach to website security, emphasizing attack surface management and the integration of threat intelligence.
In relation, you can refer to the article ‘Chilean Army Documents Leak: Exploiting Cobalt Strike With Rhysida Ransomware‘.
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up for a free Criminal IP account today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.
Source: Criminal IP (https://www.criminalip.io/)
Related article: