Lowzero

Lowzero is a custom backdoor malware introduced by TA413, a deviation from their usual practice of using well-known or open-source tools. Throughout the first half of 2022, TA413 exploited various vulnerabilities, including a patched zero-day vulnerability in Sophos Firewall product (CVE-2022-1040), weaponized the "Follina" (CVE-2022-30190) vulnerability shortly after its discovery, and utilized Lowzero in campaigns targeting Tibetan entities. The malware operates by dropping a file named dcnx18pwh.wmf, encoded using the XOR key B2 A6 6D FF associated with a known Royal Road variant. The decoded payload ultimately loads Lowzero, which communicates with a hardcoded C2 IP address over TCP Port 110. Unlike most malware, Lowzero does not use public key encryption to securely transfer the symmetric key, breaking standard protocol. Instead, it passes configuration information as a buffer to Stage 3's exported function F. This data is both encrypted and compressed, adding an extra layer of complexity to its operations. After the TLS handshake and deriving of the AES key, Lowzero sends basic system and user information to the C2. Lowzero has the ability to receive one or more commands at a time, which it then executes sequentially. The data received is encoded and encrypted using a custom scheme unique to Lowzero. Further analysis of this new malware is ongoing, but its introduction marks a significant shift in TA413's tactics and presents a new threat to cybersecurity.