An advanced persistent threat actor (APTA) with ties to China identified as TA413 used recently discovered security holes in Microsoft Office and Sophos Firewall to launch a never-before-seen backdoor named LOWZERO as part of an espionage campaign against Tibetan groups.

Organizations connected to the Tibetan community, notably businesses connected to the exiled government of Tibet, were the main targets.

The attacks used the remote code execution flaws CVE-2022-1040 and CVE-2022-30190 (also known as “Follina”) in Sophos Firewall and Microsoft Office, respectively.

In a recent technical analysis, Recorded Future noted that the group’s continued use of well-known and reported capabilities, such as the Royal Road RTF weaponizer, and frequently careless infrastructure procurement tendencies contrast with their willingness to quickly incorporate new techniques and methods of initial access.

Since at least 2020, TA413—also known as LuckyCat and linked to ruthlessly attacking Tibetan-affiliated groups and people using malware including ExileRAT, Sepulcher, and the nefarious Mozilla Firefox browser extension FriarFox.

Although the eventual objective of the infection chains remained unknown, Proofpoint earlier revealed the group’s use of the Follina weakness in June 2022.

Additionally, a malicious RTF document that took the use of holes in Microsoft Equation Editor to drop the customized LOWZERO implant was used in a spear-phishing campaign discovered in May 2022 and accomplished using a Royal Road RTF weaponizer tool, which Chinese threat actors frequently use.

The backdoor

A Microsoft Word attachment housed on the Google Firebase service attempted to exploit the Follina vulnerability in a later-May phishing email sent to a Tibetan target in order to run a PowerShell command intended to download the backdoor from a remote server.

The backdoor, LOWZERO, has the ability to receive more modules from its command-and-control (C2) server, but only if the threat actor considers the compromised machine to be of interest.

The cybersecurity company stated that “the group continues to incorporate new capabilities while still relying on tried-and-true [tactics, strategies, and processes].”

“TA413’s usage of both zero-day and recently released vulnerabilities is typical of larger trends with Chinese cyber-espionage groups, whereby exploits frequently arise in use by many distinct Chinese activity groups before they are widely available to the public.”