Cyber Intrusion Hits Chinese-Speaking Enterprises with Cobalt Strike Malware Payloads
Enterprises that communicate in Chinese are now the focus of a coordinated and advanced assault that seems to be using deceptive emails to infiltrate Windows systems with Cobalt Strike malware payloads.
“The attackers successfully expanded their reach sideways, established lasting presence, and went unnoticed in the systems for over a fortnight,” according to a recent report by Securonix researchers Den Iuzvyk and Tim Peck stated.
The clandestine operation, known as SLOW#TEMPEST and not linked to any recognized threat group, starts with harmful ZIP files that, upon extraction, trigger a series of infections, leading to the installation of the post-exploitation toolkit on compromised devices.
Included in the ZIP file is a Windows shortcut (LNK) file disguised as a Microsoft Word document, named “违规远程控制软件人员名单.docx.lnk,” which roughly translates to “Roster of individuals defying remote control software rules.”
“Considering the language utilized in the lure documents, it’s probable that specific Chinese business or governmental sectors are being pinpointed due to their employment of individuals who adhere to ‘remote control software regulations,'” highlighted the researchers.
The LNK file functions as a channel to launch a legitimate Microsoft binary (“LicensingUI.exe”) which utilizes DLL side-loading to execute a rogue DLL (“dui70.dll”). Both these files are part of a ZIP package located in a directory named “其他信息.__MACOS__._MACOS___MACOSX_MACOS_.” This incident marks the debut of DLL side-loading via LicensingUI.exe.
The DLL file is a Cobalt Strike implant granting persistent and clandestine access to the infected system, all while establishing communication with a remote server (“123.207.74[.]22”).
This remote access reportedly allowed the attackers to perform a range of hands-on actions, including deploying additional payloads for reconnaissance and setting up proxied connections.
The infection sequence also stands out for creating a scheduled task to periodically run a malicious executable named “lld.exe” capable of executing arbitrary shellcode directly in memory, thereby leaving negligible traces on the hard drive.
“The attackers further positioned themselves to remain hidden in infected systems by manually elevating the privileges of the built-in Guest user account,” mentioned the researchers.
“This account, generally deactivated and minimally empowered, was transformed into a potent entry point by adding it to the vital administrative group and assigning a new password. This backdoor assures continuous access to the system with minimal detection, given that the Guest account is usually not monitored as closely as other user accounts.”
The unidentified threat actor then proceeded to expand laterally within the network by utilizing Remote Desktop Protocol (RDP) and credentials acquired through the Mimikatz password extraction utility, and subsequently creating remote connections back to their command-and-control (C2) server from each of these machines.
The post-exploitation phase was further distinguished by the execution of various enumeration commands and employing the BloodHound tool for active directory (AD) reconnaissance, with the findings being later extracted in the form of a ZIP file.
Links to China are evidenced by the fact that all C2 servers are hosted in China by Shenzhen Tencent Computer Systems Company Limited. Additionally, the majority of the campaign-related artifacts have their roots in China.
“While there is no concrete proof associating this incursion with any known APT factions, it’s probable that this was orchestrated by a seasoned threat actor well-versed in utilizing advanced exploitation platforms like Cobalt Strike along with an array of other post-exploitation tools,” concluded the researchers.
“The meticulous nature of the campaign is apparent in its systematic handling of initial infiltration, persistence, privilege escalation, and lateral movement across the network.”
About Author
