Chinese language-speaking customers are the goal of a “highly organized and sophisticated attack” marketing campaign that’s seemingly leveraging phishing emails to contaminate Home windows programs with Cobalt Strike payloads.
“The attackers managed to move laterally, establish persistence and remain undetected within the systems for more than two weeks,” Securonix researchers Den Iuzvyk and Tim Peck mentioned in a brand new report.
The covert marketing campaign, codenamed SLOW#TEMPEST and never attributed to any identified risk actor, commences with malicious ZIP recordsdata that, when unpacked, prompts the an infection chain, resulting in the deployment of the post-exploitation toolkit on compromised programs.
Current with the ZIP archive is a Home windows shortcut (LNK) file that disguises itself as a Microsoft Phrase file, “违规远程控制软件人员名单.docx.lnk,” which roughly interprets to “List of people who violated the remote control software regulations.”
“Given the language used in the lure files, it’s likely that specific Chinese related business or government sectors could be targeted as they would both employ individuals who follow ‘remote control software regulations,'” the researchers identified.
The LNK file acts as a conduit to launch a official Microsoft binary (“LicensingUI.exe”) that employs DLL side-loading to execute a rogue DLL (“dui70.dll”). Each the recordsdata are a part of the ZIP archive inside a listing known as “其他信息.__MACOS__._MACOS___MACOSX_MACOS_.” The assault marks the primary time DLL side-loading through LicensingUI.exe has been reported.
The DLL file is a Cobalt Strike implant that permits for persistent and stealthy entry to the contaminated host, whereas establishing contact with a distant server (“123.207.74[.]22”).
The distant entry is alleged to have allowed the attackers to conduct a sequence of hands-on actions, together with deploying extra payloads for reconnaissance and organising proxied connections.
The an infection chain can be notable for organising a scheduled process to periodically execute a malicious executable known as “lld.exe” that may run arbitrary shellcode immediately in reminiscence, thereby leaving minimal footprints on disk.
“The attackers further enabled themselves to hide in the weeds in compromised systems by manually elevating the privileges of the built-in Guest user account,” the researchers mentioned.
“This account, typically disabled and minimally privileged, was transformed into a powerful access point by adding it to the critical administrative group and assigning it a new password. This backdoor allows them to maintain access to the system with minimal detection, as the Guest account is often not monitored as closely as other user accounts.”
The unknown risk actor subsequently proceeded to maneuver laterally throughout the community utilizing Distant Desktop Protocol (RDP) and credentials obtained through the Mimikatz password extraction instrument, adopted by organising distant connections again to their command-and-control (C2) server from every of these machines.
The post-exploitation part is additional characterised by the execution of a number of enumeration instructions and using the BloodHound instrument for lively listing (AD) reconnaissance, the outcomes of which have been then exfiltrated within the type of a ZIP archive.
The connections to China are bolstered by the truth that the entire C2 servers are hosted in China by Shenzhen Tencent Pc Programs Firm Restricted. On high of that, a majority of the artifacts linked with the marketing campaign have originated from China.
“Although there was no solid evidence linking this attack to any known APT groups, it is likely orchestrated by a seasoned threat actor who had experience using advanced exploitation frameworks such as Cobalt Strike and a wide range of other post-exploitation tools,” the researchers concluded.
“The campaign’s complexity is evident in its methodical approach to initial compromise, persistence, privilege escalation and lateral movement across the network.”