Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Recorded Future Profile picture
@RecordedFuture
Sep 22, 2022 9 tweets 5 min read Read on X
Scrolly
Recorded Future analysts monitor targeting of ethnic and religious minorities by Chinese state-sponsored groups. In the first half of 2022, #TA413 exploited zero-days #Follina and CVE-2022-1040 with new custom backdoor #LOWZERO in Tibetan targeting. 1/9 bit.ly/3LwzoDf
#MalDoc lures, in Tibetan language, pose as applications for compensation, contest... This one sent from tibet[.]bet was weaponized with #RoyalRoad SHA 028e07fa88736f405d24f0d465bc789c3bcbbc9278effb3b1b73653847e86cf8, drops #LOWZERO and contacts hardcoded C2 45.77.19[.]75. 2/9 Image
Sent from the same domain, this lure has #phishing email links to tibet-gov.web[.]app posing as the Tibetan government-in-exile. Sent in 2 waves, the 1st email links to .docx attachment hosted on Google Firebase which attempts #Follina via the ms-msdt MSProtocol URI scheme. 3/9 Image
The 2nd email links to a .RAR archive file containing both the malicious .docx attachment and a decoy .png image file, to ultimately execute a Base64-encoded PowerShell command for a follow-on payload from http://65.20.75[.]158/0524x86110.exe. The decoded #PowerShell command: 4/9 Image
The downloaded file 0524x86110.exe is UPX-packed and has the SHA256 file hash 5217c2a1802b0b0fe5592f9437cdfd21f87da1b6ebdc917679ed084e40096bfd. The unpacked UPX file also loads LOWZERO. The LOWZERO execution chain contains multiple layers/stages: 5/9 Image
LOWZERO’s configuration information is passed, likely Lempel-Ziv-Free (LZF) algorithm as used for Stage 2 dll, as a buffer to Stage 3’s exported function F. The contents of the configuration information buffer after decryption and decompression with campaign ID used as mutex: 6/9 Image
The C2 information is still obfuscated. Decoding Base64 with a custom alphabet string allows us to extract the values in this sample: LOWZERO mimics a TLS version 1.1 connection over non-standard TLS port (TCP 110) and does not adhere to protocol standard. 7/9 Image
After the TLS handshake, random bytes are XORed to derive an AES C2 encryption/decryption key, thereafter sending username, Campaign ID, Process name and Process ID, IP address, and Hostname to the C2 in layers of encryption, which can be decrypted reversing these operations: 8/9 Image
TA413 continues to add new capabilities while relying on their proven TTPs, i.e. using the open-source proxy tool Stowaway and open-source internal network scanning tool fscan. Find out more about the TTPs, targets, and how to mitigate: 9/9 bit.ly/3BEHXaj

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Recorded Future

Recorded Future Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @RecordedFuture

Recorded Future Profile picture
Sep 10, 2024
In H1 2024, threat actors refined their tactics and introduced new techniques to evade detection and disrupt defenses. Zero-day exploits & sophisticated malware dominated the landscape. Here's what we observed 👇 Image
Newly disclosed vulnerabilities in Ivanti, PAN-OS, and Windows SmartScreen were heavily exploited, even after patches were released. The availability of proof-of-concept (PoC) exploit code fueled persistent targeting.
Infostealers like LummaC2 led the malware landscape, while ransomware strains such as Fog & RansomHub introduced passwords to validate payload execution, hindering detection.
Read 5 tweets
Recorded Future Profile picture
Nov 23, 2022
At peace and war, China’s #cyber activities alter its target’s actions with threats to punish unwanted behaviors and apply pressure to coerce. Insikt Group® analyzes the 2 elements of #weishe theory in its application against Taiwan and more. 1/5 Read: bit.ly/3VjLQd1 Image
In weishe, coercion comprises two distinct theories of action to change the behavior of a target: #Deterrence and #Compellence. Deterrence uses the threat of punishment to prevent undesirable actions, and compellence wields punishment to motivate desirable behavior. 2/5
An instance of cyber coercion might be the #defacement attack on public TV screens in #Taiwan in response to the Taiwan visit of the US Speaker of the House of Representatives Nancy Pelosi in August 2022. 3/5 Image
Read 5 tweets
Recorded Future Profile picture
Nov 17, 2022
Discover multinational #InfluenceOperations at work. See how #Iran and #Venezuela can use state-sponsored media outlets, social media influencers, proxies, surrogates, and political activists in the #AlexSaab influence campaign. Read full report: bit.ly/3EPYPhv 1/8 Image
Insikt Group® identifies four phases of a multiyear influence campaign centered around indicted Alex Saab, the alleged financier and special agent to Iran for the Nicolás #Maduro regime. The Alex Saab timeline shows significant events from indictment to postponed trial. 2/8 Image
Saab, an alleged conduit of Hezbollah operations extending into Latin America, is a Colombian and Venezuelan businessman wanted by Colombian law enforcement since 2018. Maduro appointed him a special envoy to Iran after a corruption designation (by OFAC). 3/8
Read 8 tweets
Recorded Future Profile picture
Oct 13, 2022
Take a look at how #China #Russia #Iran and #DomesticExtremist conduct influence operations – #disinformation and #misinformation campaigns – to disrupt and influence US #Midterms2022 elections. Read the full report here: bit.ly/3ew3zhN Image
The #Russophobia theme emerged on a #RussiaTimes interview with #DmitryBabich and in June 2022 with FSB-directed #Southfront. This appeal to ethnic Russians could drive tension between them and US govt, possibly motivating a hack-and-leak or hack-and-fake #OctoberSurprise. 2/7 Image
Russian state-controlled media are diversifying existing infrastructure through registration of alternative website domains – website “mirrors” – and are increasingly using country code Top Level Domains within existing infrastructure. Chart shows mirror mentions for #Sputnik 3/7 Image
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(