Adrian Johnson
TLDR:
Chinese-speaking businesses are being targeted in a cyberattack campaign using Cobalt Strike payloads. The attackers use phishing emails with malicious ZIP files containing a Windows shortcut disguised as a Microsoft Word file. This leads to the deployment of a post-exploitation toolkit on compromised systems, enabling the attackers to establish persistence and move laterally within the networks.
Full Article:
Chinese-speaking users are the target of a “highly organized and sophisticated attack” campaign that is likely leveraging phishing emails to infect Windows systems with Cobalt Strike payloads. The covert campaign, codenamed SLOW#TEMPEST, begins with malicious ZIP files that unpack to activate the infection chain. This leads to the deployment of a post-exploitation toolkit on compromised systems.
The attackers were able to establish persistence and remain undetected within systems for more than two weeks. The attack involves using a Windows shortcut file that disguises itself as a Microsoft Word document, which likely targets specific Chinese sectors related to business or government.
The attack utilizes DLL side-loading via a legitimate Microsoft binary to execute a rogue DLL, which is a Cobalt Strike implant allowing for persistent and stealthy access to infected hosts. The attackers also set up a scheduled task to execute a malicious executable in memory, leaving minimal footprints on disk.
The threat actor moved laterally across the network using Remote Desktop Protocol and Mimikatz password extraction tool. They conducted hands-on activities, deployed additional payloads for reconnaissance, and set up proxied connections. The post-exploitation phase included enumeration commands and the use of the BloodHound tool for active directory reconnaissance.
All of the command-and-control servers used in the attack were hosted in China, and a majority of the artifacts originated from China. While there is no solid evidence linking the attack to any known APT groups, researchers believe it is orchestrated by a seasoned threat actor experienced in advanced exploitation frameworks like Cobalt Strike.
The attack campaign’s complexity lies in its methodical approach to initial compromise, persistence, privilege escalation, and lateral movement across networks. This highlights the importance of cybersecurity measures to protect against such sophisticated attacks.
