Espionage Efforts from Chinese Threat Actor Targets Tibet

Category: Threat Actor Activity | Industries: Government, Non-profit, Research | Level: Tactical | Source: Recorded Future

Findings from Recorded Future's latest research report reveal activities from the Chinese state-linked threat group, TA413 conducting espionage campaigns against the Tibetan community as well as several European organizations. Tibet is identified as a consistent target "and is almost certainly indicative of one of the group’s primary intelligence assignments." Specific verticals the group has focused on include government, non-profit, and research entities. The threat group employs a mixture of custom tools and zero days in their campaigns. Attacks from the group have involved exploiting Sophos firewall vulnerability, Windows vulnerability Follina/CVE-2022-30190, and creating malicious RTF files with Royal Road RTF builder to exploit vulnerabilities in Microsoft Equation Editor. A notable malware the group utilizes is the LOWZERO backdoor, used to provide a fingerprint of the victim's workstation to identify if its of interest to the threat actor and if so, execute commands. The web of TA413 operations indicates a siloed operation with more at play, "The group continues to incorporate new capabilities while also relying on tried-and-tested TTPs. In particular, the stark contrast between some of the tooling employed by the group versus infrastructure management practices is likely indicative of separate teams involved in the development of malware and exploits versus those conducting operations."

Anvilogic Scenario:

• Malicious EXE/DLL Uses Rundll32 for Process Injection

Anvilogic Use Cases:

• CVE-2022-30190: Microsoft Office Code Execution Vulnerability
• Invoke-Expression Command
• Rundll32 Command Line

‍