China-linked TA413 group targets Tibetan entities with new backdoor

Home/IOC's, malicious cyber actors, Malicious extension, Malware, Security Advisory, Security Update/China-linked TA413 group targets Tibetan entities with new backdoor

China-linked TA413 group targets Tibetan entities with new backdoor

A China-linked cyberespionage group, tracked as TA413 (aka LuckyCat), is exploiting recently disclosed flaws in Sophos Firewall (CVE-2022-1040) and Microsoft Office (CVE-2022-30190) to deploy a never-before-detected backdoor called LOWZERO in attacks aimed at Tibetan entities.

The TA413 APT group is known to be focused on Tibetan organizations across the world, in past attacks threat actors used a malicious Firefox add-on, dubbed FriarFox, to steal Gmail and Firefox browser data and deliver malware on infected systems.

LOWZERO, the backdoor, is capable of obtaining further modules from its command-and-regulate (C2) server, but only on the issue that the compromised device is deemed to be of curiosity to the danger actor.

“This willingness to rapidly incorporate new techniques and methods of initial access contrasts with the group’s continued use of well known and reported capabilities, such as the Royal Road RTF weaponizer, and often lax infrastructure procurement tendencies,” Recorded Future said in a new technical analysis.

In another phishing email sent to a Tibetan target in late May, a Microsoft Word attachment hosted on the Google Firebase service attempted to leverage the Follina vulnerability to execute a PowerShell command designed to download the backdoor from a remote server.

“TA413’s adoption of both zero-day and recently published vulnerabilities is indicative of wider trends with Chinese cyber-espionage groups whereby exploits regularly appear in use by multiple distinct Chinese activity groups prior to their widespread public availability.”

IOCS

freetibet[.]in

jobflex[.]in

flex-jobs[.]in

192.46.213[.]63

134.122.129[.]102

applestatic[.]com

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

By | 2022-09-27T15:19:19+05:30 September 27th, 2022|IOC's, malicious cyber actors, Malicious extension, Malware, Security Advisory, Security Update|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!