Cobalt Strike Payloads

Chinese-speaking users are the target of a "highly organized and sophisticated attack" campaign that is likely leveraging phishing emails to infect Windows systems with Cobalt Strike payloads.

"The attackers managed to move laterally, establish persistence and remain undetected within the systems for more than two weeks," Securonix researchers Den Iuzvyk and Tim Peck said in a new report.

The covert campaign, codenamed SLOW#TEMPEST and not attributed to any known threat actor, commences with malicious ZIP files that, when unpacked, activates the infection chain, leading to the deployment of the post-exploitation toolkit on compromised systems.

Present with the ZIP archive is a Windows shortcut (LNK) file that disguises itself as a Microsoft Word file, "违规远程控制软件人员名单.docx.lnk," which roughly translates to "List of people who violated the remote control software regulations."

"Given the language used in the lure files, it's likely that specific Chinese related business or government sectors could be targeted as they would both employ individuals who follow 'remote control software regulations,'" the researchers pointed out.

Cybersecurity

The LNK file acts as a conduit to launch a legitimate Microsoft binary ("LicensingUI.exe") that employs DLL side-loading to execute a rogue DLL ("dui70.dll"). Both the files are part of the ZIP archive within a directory called "\其他信息\.__MACOS__\._MACOS_\__MACOSX\_MACOS_." The attack marks the first time DLL side-loading via LicensingUI.exe has been reported.

The DLL file is a Cobalt Strike implant that allows for persistent and stealthy access to the infected host, while establishing contact with a remote server ("123.207.74[.]22").

The remote access is said to have allowed the attackers to conduct a series of hands-on activities, including deploying additional payloads for reconnaissance and setting up proxied connections.

The infection chain is also notable for setting up a scheduled task to periodically execute a malicious executable called "lld.exe" that can run arbitrary shellcode directly in memory, thereby leaving minimal footprints on disk.

Cobalt Strike Payloads

"The attackers further enabled themselves to hide in the weeds in compromised systems by manually elevating the privileges of the built-in Guest user account," the researchers said.

"This account, typically disabled and minimally privileged, was transformed into a powerful access point by adding it to the critical administrative group and assigning it a new password. This backdoor allows them to maintain access to the system with minimal detection, as the Guest account is often not monitored as closely as other user accounts."

The unknown threat actor subsequently proceeded to move laterally across the network using Remote Desktop Protocol (RDP) and credentials obtained via the Mimikatz password extraction tool, followed by setting up remote connections back to their command-and-control (C2) server from each of those machines.

The post-exploitation phase is further characterized by the execution of several enumeration commands and the use of the BloodHound tool for active directory (AD) reconnaissance, the results of which were then exfiltrated in the form of a ZIP archive.

Cybersecurity

The connections to China are reinforced by the fact that all of the C2 servers are hosted in China by Shenzhen Tencent Computer Systems Company Limited. On top of that, a majority of the artifacts connected with the campaign have originated from China.

"Although there was no solid evidence linking this attack to any known APT groups, it is likely orchestrated by a seasoned threat actor who had experience using advanced exploitation frameworks such as Cobalt Strike and a wide range of other post-exploitation tools," the researchers concluded.

"The campaign's complexity is evident in its methodical approach to initial compromise, persistence, privilege escalation and lateral movement across the network."


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.