Recorded Future analysts monitor targeting of ethnic and religious minorities by Chinese state-sponsored groups. In the first half of 2022, #TA413 exploited zero-days #Follina and CVE-2022-1040 with new custom backdoor #LOWZERO in Tibetan targeting. 1/9 bit.ly/3LwzoDf
#MalDoc lures, in Tibetan language, pose as applications for compensation, contest... This one sent from tibet[.]bet was weaponized with #RoyalRoad SHA 028e07fa88736f405d24f0d465bc789c3bcbbc9278effb3b1b73653847e86cf8, drops #LOWZERO and contacts hardcoded C2 45.77.19[.]75. 2/9 Image
Sent from the same domain, this lure has #phishing email links to tibet-gov.web[.]app posing as the Tibetan government-in-exile. Sent in 2 waves, the 1st email links to .docx attachment hosted on Google Firebase which attempts #Follina via the ms-msdt MSProtocol URI scheme. 3/9 Image
The 2nd email links to a .RAR archive file containing both the malicious .docx attachment and a decoy .png image file, to ultimately execute a Base64-encoded PowerShell command for a follow-on payload from http://65.20.75[.]158/0524x86110.exe. The decoded #PowerShell command: 4/9 Image
The downloaded file 0524x86110.exe is UPX-packed and has the SHA256 file hash 5217c2a1802b0b0fe5592f9437cdfd21f87da1b6ebdc917679ed084e40096bfd. The unpacked UPX file also loads LOWZERO. The LOWZERO execution chain contains multiple layers/stages: 5/9 Image
LOWZERO’s configuration information is passed, likely Lempel-Ziv-Free (LZF) algorithm as used for Stage 2 dll, as a buffer to Stage 3’s exported function F. The contents of the configuration information buffer after decryption and decompression with campaign ID used as mutex: 6/9 Image
The C2 information is still obfuscated. Decoding Base64 with a custom alphabet string allows us to extract the values in this sample: LOWZERO mimics a TLS version 1.1 connection over non-standard TLS port (TCP 110) and does not adhere to protocol standard. 7/9 Image
After the TLS handshake, random bytes are XORed to derive an AES C2 encryption/decryption key, thereafter sending username, Campaign ID, Process name and Process ID, IP address, and Hostname to the C2 in layers of encryption, which can be decrypted reversing these operations: 8/9 Image
TA413 continues to add new capabilities while relying on their proven TTPs, i.e. using the open-source proxy tool Stowaway and open-source internal network scanning tool fscan. Find out more about the TTPs, targets, and how to mitigate: 9/9 bit.ly/3BEHXaj

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Recorded Future

Recorded Future Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(