#MalDoc lures, in Tibetan language, pose as applications for compensation, contest... This one sent from tibet[.]bet was weaponized with #RoyalRoad SHA 028e07fa88736f405d24f0d465bc789c3bcbbc9278effb3b1b73653847e86cf8, drops #LOWZERO and contacts hardcoded C2 45.77.19[.]75. 2/9

Sent from the same domain, this lure has #phishing email links to tibet-gov.web[.]app posing as the Tibetan government-in-exile. Sent in 2 waves, the 1st email links to .docx attachment hosted on Google Firebase which attempts #Follina via the ms-msdt MSProtocol URI scheme. 3/9

The 2nd email links to a .RAR archive file containing both the malicious .docx attachment and a decoy .png image file, to ultimately execute a Base64-encoded PowerShell command for a follow-on payload from http://65.20.75[.]158/0524x86110.exe. The decoded #PowerShell command: 4/9

The downloaded file 0524x86110.exe is UPX-packed and has the SHA256 file hash 5217c2a1802b0b0fe5592f9437cdfd21f87da1b6ebdc917679ed084e40096bfd. The unpacked UPX file also loads LOWZERO. The LOWZERO execution chain contains multiple layers/stages: 5/9

LOWZERO’s configuration information is passed, likely Lempel-Ziv-Free (LZF) algorithm as used for Stage 2 dll, as a buffer to Stage 3’s exported function F. The contents of the configuration information buffer after decryption and decompression with campaign ID used as mutex: 6/9

The C2 information is still obfuscated. Decoding Base64 with a custom alphabet string allows us to extract the values in this sample: LOWZERO mimics a TLS version 1.1 connection over non-standard TLS port (TCP 110) and does not adhere to protocol standard. 7/9

After the TLS handshake, random bytes are XORed to derive an AES C2 encryption/decryption key, thereafter sending username, Campaign ID, Process name and Process ID, IP address, and Hostname to the C2 in layers of encryption, which can be decrypted reversing these operations: 8/9