Cyber security news for all

More

    New Cyber Offensive Targets Chinese-Speaking Enterprises with Cobalt Strike Payloads

    Chinese-speaking entities have found themselves in the crosshairs of a meticulously orchestrated cyber offensive, likely deploying phishing emails to compromise Windows platforms with Cobalt Strike payloads.

    “The assailants successfully maneuvered laterally, entrenched their presence, and remained undetected within the systems for over a fortnight,” revealed Securonix analysts Den Iuzvyk and Tim Peck in their recent disclosure.

    This clandestine campaign, codenamed SLOW#TEMPEST and currently not linked to any recognized threat actor, initiates with malicious ZIP archives. Once decompressed, these archives trigger an infection sequence that culminates in the deployment of a post-exploitation toolkit on the compromised infrastructure.

    Accompanying the ZIP package is a Windows shortcut (LNK) file masquerading as a Microsoft Word document, bearing the title “违规远程控制软件人员名单.docx.lnk,” which translates roughly to “List of individuals who breached remote control software regulations.”

    “Considering the language utilized in the bait files, it’s plausible that specific Chinese-linked business or governmental sectors could be the targets, given their employment of personnel adhering to ‘remote control software regulations,'” the researchers noted.

    The LNK file functions as a vector to activate a legitimate Microsoft executable (“LicensingUI.exe”), which employs DLL side-loading to deploy a malicious DLL (“dui70.dll”). Both files are embedded within the ZIP archive under a directory labeled “\其他信息.MACOS.MACOS_MACOSX_MACOS.” This attack represents the inaugural instance of DLL side-loading through LicensingUI.exe.

    The DLL file is a Cobalt Strike implant, enabling persistent and covert access to the compromised system while establishing a connection with a remote server (“123.207.74[.]22”).

    This remote access reportedly permitted the attackers to execute a variety of hands-on activities, including deploying supplementary payloads for reconnaissance and configuring proxied connections.

    The infection sequence is further distinguished by the establishment of a scheduled task designed to intermittently execute a malicious executable named “lld.exe,” capable of running arbitrary shellcode directly within memory, thereby minimizing disk footprints.

    “The attackers further obfuscated their presence in compromised systems by manually elevating the privileges of the built-in Guest user account,” the researchers disclosed.

    “This account, typically disabled and possessing minimal privileges, was transformed into a potent access node by incorporating it into the critical administrative group and assigning it a new password. This backdoor grants them sustained access to the system with minimal detection, as the Guest account is often overlooked in routine monitoring compared to other user accounts.”

    The unidentified threat actor subsequently moved laterally across the network utilizing Remote Desktop Protocol (RDP) and credentials extracted via the Mimikatz password extraction tool, followed by establishing remote connections back to their command-and-control (C2) server from each compromised machine.

    The post-exploitation phase is further characterized by the execution of several enumeration commands and the employment of the BloodHound tool for Active Directory (AD) reconnaissance, the findings of which were subsequently exfiltrated as a ZIP archive.

    The connections to China are further reinforced by the fact that all the C2 servers are hosted in China by Shenzhen Tencent Computer Systems Company Limited. Additionally, a significant portion of the artifacts linked to this campaign has originated from China.

    “Although no definitive evidence connects this attack to any known Advanced Persistent Threat (APT) groups, it is likely the work of a seasoned adversary with expertise in advanced exploitation frameworks such as Cobalt Strike and a wide array of other post-exploitation tools,” the researchers concluded.

    “The complexity of the campaign is underscored by its methodical approach to initial compromise, persistence, privilege escalation, and lateral movement across the network.”

    Recent Articles

    Related Stories