Lowzero

Malware updated 6 months ago (2024-05-04T22:18:28.646Z)
Download STIX
Preview STIX
Lowzero is a custom backdoor malware introduced by TA413, a deviation from their usual practice of using well-known or open-source tools. Throughout the first half of 2022, TA413 exploited various vulnerabilities, including a patched zero-day vulnerability in Sophos Firewall product (CVE-2022-1040), weaponized the "Follina" (CVE-2022-30190) vulnerability shortly after its discovery, and utilized Lowzero in campaigns targeting Tibetan entities. The malware operates by dropping a file named dcnx18pwh.wmf, encoded using the XOR key B2 A6 6D FF associated with a known Royal Road variant. The decoded payload ultimately loads Lowzero, which communicates with a hardcoded C2 IP address over TCP Port 110. Unlike most malware, Lowzero does not use public key encryption to securely transfer the symmetric key, breaking standard protocol. Instead, it passes configuration information as a buffer to Stage 3's exported function F. This data is both encrypted and compressed, adding an extra layer of complexity to its operations. After the TLS handshake and deriving of the AES key, Lowzero sends basic system and user information to the C2. Lowzero has the ability to receive one or more commands at a time, which it then executes sequentially. The data received is encoded and encrypted using a custom scheme unique to Lowzero. Further analysis of this new malware is ongoing, but its introduction marks a significant shift in TA413's tactics and presents a new threat to cybersecurity.
Description last updated: 2024-05-04T21:19:22.151Z
What's your take? (Question 1 of 0)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Ta413 is a possible alias for Lowzero. TA413, also known as LuckyCat, is a threat actor suspected of conducting cyber espionage on behalf of the Chinese state. In the first half of 2022, TA413 targeted Tibetan individuals, organizations, and the exiled Tibetan government. The group exploited a now-patched zero-day vulnerability in the So
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Lowzero Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more