Phishing emails are most likely being used by a “highly organized and sophisticated attack” operation targeting Chinese-speaking users to infect Windows PCs with Cobalt Strike payloads.
Using phishing emails to infect Windows systems with Cobalt Strike payloads, a “highly organized and sophisticated attack” operation is aimed at Chinese-speaking users. Researchers Den Iuzvyk and Tim Peck of Securonix said in a recent paper that “the attackers managed to move laterally, establish persistence, and remain undetected within the systems for more than two weeks.” Unknown threat actors are not linked to the covert campaign, codenamed SLOW#TEMPEST, which starts with malicious ZIP files that, when opened, trigger the infection chain and install the post-exploitation toolkit on infected systems.
Included with the ZIP archive is a Windows shortcut (LNK) file called “违规远程控制软件人员名单.docx.lnk,” which is essentially a list of individuals who have broken the rules on remote control software. “Given the language used in the lure files, it’s likely that specific Chinese-related business or government sectors could be targeted, as they would both employ individuals who follow’remote control software regulations,'” the investigators stated.
Through the use of DLL side-loading, the LNK file opens a genuine Microsoft program (“LicensingUI.exe”) that launches a malicious DLL (“dui70.dll”). The ZIP archive containing both files is located in a directory named “他信息\.__MACOS__\._MACOS_\__MACOSX\_MACOS_.” This attack is the first time that licensingUI.exee-based DLLsideloading has been documented. The DLL file is a Cobalt Strike implant that connects to a remote server (“123.207.74[.]22”) to enable persistent and covert access to the compromised computer.
The attackers are alleged to have been able to carry out a number of practical tasks with the help of the remote access, such as setting up proxied connections and deploying more payloads for reconnaissance. Another noteworthy feature of the infection chain is that it creates a scheduled job to run a malicious executable named “lld.exe” on a regular basis. This executable can run any shellcode directly in memory, leaving the least amount of disk footprint possible. By manually increasing the rights of the built-in Guest user account, the attackers were further able to conceal themselves in the shadows on infected devices, according to the researchers.
By adding this account to the important administrative group and changing its password, it was made into a strong access point. Normally, this account would be disabled and have little authority. Since the Guest account is frequently not kept as strictly under observation as other user accounts, this backdoor enables them to continue having access to the system with little discovery.” After obtaining credentials through the Mimikatz password extraction tool, the unknown threat actor used Remote Desktop Protocol (RDP) to move laterally across the network. From each of those machines, they established remote connections back to their command-and-control (C2) server. The execution of many enumeration commands and the usage of the BloodHound tool for active directory (AD) reconnaissance are further characteristics of the post-exploitation phase.
The fact that Shenzhen Tencent Computer Systems Company Limited hosts all of the C2 servers in China serves to further strengthen the ties to China. Furthermore, the vast bulk of the items associated with the campaign are Chinese in origin. “Although there was no solid evidence linking this attack to any known APT groups, it is likely orchestrated by a seasoned threat actor who had experience using advanced exploitation frameworks such as Cobalt Strike and a wide range of other post-exploitation tools,” the investigators determined. “The campaign’s complexity is evident in its methodical approach to initial compromise, persistence, privilege escalation, and lateral movement across the network.”
Also read: Top 3 Workforce Management Companies in India You Should Know
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
