Recorded Future analyzes TA413, a Chinese state-sponsored group, detailing campaigns against the Tibetan community and the adoption of new capabilities, including the LOWZERO backdoor and exploitation of zero-days such as CVE-2022-1040 and Follina. The report also notes infrastructure sharing with Tropic Trooper and continued use of the Royal Road RTF weaponizer in targeted phishing.
#TA413 #LOWZERO #RoyalRoad #TibetanCommunity #SophosFirewall
#TA413 #LOWZERO #RoyalRoad #TibetanCommunity #SophosFirewall
Keypoints
- TA413 is a Chinese state-sponsored group repeatedly targeting the Tibetan community for surveillance and intelligence gathering.
- The group exploited a Sophos Firewall zero-day (CVE-2022-1040) and weaponized the Follina vulnerability (CVE-2022-30190) in campaigns during 2022.
- TA413 dropped a new custom backdoor named LOWZERO, marking a shift toward bespoke tooling.
- Royal Road RTF weaponizer continues to be used for targeted phishing, alongside other shared capabilities across Chinese actor clusters.
- The campaigns show infrastructure and malware ties to Tropic Trooper activity, suggesting overlap or shared pipelines.
- TA413’s operations include multi-stage payload delivery, custom C2 protocols, and data exfiltration-style reconnaissance to tailor infections.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – TA413 exploited a Sophos Firewall Zero-Day (CVE-2022-1040) to gain initial access. Quote: ‘Exploitation of Sophos Firewall Zero-Day… tracked as CVE-2022-1040.’
- [T1566.001] Phishing – TA413 used targeted phishing with the Royal Road RTF weaponizer in campaigns against Tibetan entities. Quote: ‘Continued use of variants of the shared Royal Road RTF weaponizer tool in targeted phishing attempts.’
- [T1059.001] PowerShell – A Base64-encoded PowerShell command was used to download a follow-on payload after Follina exploitation. Quote: ‘download a follow-on payload from http://65.20.75[.]158/0524×86110.exe.’
- [T1105] Ingress Tool Transfer – The group downloaded follow-on payloads from remote servers during infection chains. Quote: ‘download a follow-on payload from http://65.20.75[.]158/0524×86110.exe.’
- [T1055] Process Injection – LOWZERO’s loader injects stage DLLs into rundll32.exe to execute, indicating process injection in the infection chain. Quote: ‘Launches rundll32.exe in a suspended state and injects the Stage 3 DLL into it.’
- [T1027] Obfuscated/Compressed Files and Information – LOWZERO config data is encrypted/compressed and uses multi-step decryption/decompression. Quote: ‘The configuration data is both encrypted and compressed. The decompression algorithm is likely LZF (Lempel-Ziv-Free).’
- [T1071.001] Web Protocols – C2 communications are conducted over a TLS-like channel with non-standard port, blending with TLS traffic. Quote: ‘LOWZERO mimics a TLS version 1.1 connection over a non-standard TLS port (TCP 110).’
Indicators of Compromise
- [IP Address] – External C2 and post-exploitation infrastructure: 192.46.213.63, 134.122.129.102, 45.77.19.75, 65.20.75.158, 118.99.13.68
- [Domain] – TA413-related domains used for hosting and spoofing: tibetnews.today, tibetyouthcongress.com, t1bet.net, tibetbet.net
- [SHA256] – Known malware/file hashes: 5217c2a1802b0b0fe5592f9437cdfd21f87da1b6ebdc917679ed084e40096bfd, 028e07fa88736f405d24f0d465bc789c3bcbbc9278effb3b1b73653847e86cf8
- [URL] – Malicious or hosting URLs used in campaigns: http://65.20.75[.]158/poc.html, http://65.20.75[.]158/0524×86110.exe
- [File] – Dropped/loaded filenames: dcnx18pwh.wmf
- [Email] – Sender/credential-related identifiers: tseringkanyaq@yahoo[.]com, mediabureauin@gmail[.]com
- [Domain] – Additional Tibet-themed domains observed: newsindian[.]xyz, tibetyouthcongress[.]com, tibetnews[.]today, t1bet[.]net