China-linked TA413 group targets Tibetan entities with new backdoor

China-linked cyberespionage group TA413 exploits employ a never-before-undetected backdoor called LOWZERO in attacks aimed at Tibetan entities.

A China-linked cyberespionage group, tracked as TA413 (aka LuckyCat), is exploiting recently disclosed flaws in Sophos Firewall (CVE-2022-1040) and Microsoft Office (CVE-2022-30190) to deploy a never-before-detected backdoor called LOWZERO in attacks aimed at Tibetan entities.

The TA413 APT group is known to be focused on Tibetan organizations across the world, in past attacks threat actors used a malicious Firefox add-on, dubbed FriarFox, to steal Gmail and Firefox browser data and deliver malware on infected systems.

In June, the TA413 group has been observed exploiting the Follina zero-day flaw (tracked as CVE-2022-30190 and rated CVSS score 7.8) in Microsoft Office in attacks in the wild.

“Over the first half of 2022, we have observed TA413 exploit a now-patched zero-day vulnerability targeting the Sophos Firewall product (CVE-2022-1040), weaponize the “Follina” (CVE-2022-30190) vulnerability shortly after discovery and publication, and employ a newly observed custom backdoor we track as LOWZERO in campaigns targeting Tibetan entities.” reads a report published by Recorded Future. “This willingness to rapidly incorporate new techniques and methods of initial access contrasts with the group’s continued use of well known and reported capabilities, such as the Royal Road RTF weaponizer, and often lax infrastructure procurement tendencies.” TA413 has been targeting Tibetans entities since at least 2020, the group employs multiple malware, including ExileRAT, Sepulcher, and a custom malicious Mozilla Firefox browser extension tracked as FriarFox.

The attackers use Royal Road RTF builder to create weaponized documents that exploits the above flaws to deliver LOWZERO malware.

Experts noticed that the threat actors have regularly reused phishing email sender addresses for up to several years (such as tseringkanyaq@yahoo[.]com and mediabureauin@gmail[.]com), a circumstance that allowed the researchers to connection multiple campaign to the group’s activity. 

In May 2022, the experts uncovered a spear-phishing campaign targeting a Tibetan organization containing a link to a Royal Road sample hosted on the Google Firebase service. The RTF document was crafted to exploit the Follina vulnerability to execute a PowerShell command and download the backdoor from a remote server.

Also put to use in a spear-phishing attack identified in May 2022 is a malicious RTF document that exploited flaws in Microsoft Equation Editor to drop the custom LOWZERO implant. This is achieved by employing a Royal Road RTF weaponizer tool, which is widely shared among Chinese threat actors.

The LOWZERO backdoor has a modular structure, it downloads specific modules from the C2 if the compromised machine is of interest to the threat actor.

“The group continues to incorporate new capabilities while also relying on tried-and-tested TTPs. ” concludes the report. “More widely, TA413’s adoption of both zero-day and recently published vulnerabilities is indicative of wider trends with Chinese cyber-espionage groups whereby exploits regularly appear in use by multiple distinct Chinese activity groups prior to their widespread public availability.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT)

[adrotate banner=”5″]

[adrotate banner=”13″]