SLOW#TEMPEST Campaign Targets Chinese Users with Cobalt Strike and Mimikatz Attacks
This campaign, targeting Chinese-speaking users, employed a combination of Cobalt Strike and Mimikatz to infiltrate and persist within compromised systems. The attack appears to have been conducted through phishing emails containing malicious ZIP files
Introduction
On August 29, 2024, Securonix released a security advisory detailing a sophisticated attack campaign identified as SLOW#TEMPEST. This campaign, targeting Chinese-speaking users, employed a combination of Cobalt Strike and Mimikatz to infiltrate and persist within compromised systems. The attack appears to have been conducted through phishing emails containing malicious ZIP files, allowing the attackers to move laterally and remain undetected for over two weeks.
Report Overview
The SLOW#TEMPEST campaign was discovered by Securonix Threat Research, who observed that the attack specifically targeted victims within China. The use of Chinese language in the file names and lures, along with command and control (C2) infrastructure hosted by Shenzhen Tencent Computer Systems Company Limited, strongly suggests that the campaign was aimed at Chinese users. Although the exact origin of the attack remains unclear, the tactics used align with traditional phishing methods, likely involving ZIP files distributed via unsolicited emails.
The initial infection begins when the user opens a password-protected ZIP file containing a malicious LNK file masquerading as a legitimate document. Upon execution, the LNK file triggers the Cobalt Strike implant via DLL hijacking. The attackers leveraged a legitimate Microsoft-signed executable, LicensingUI.exe, to sideload a malicious DUI70.DLL, allowing them to establish a foothold in the system.
Post-exploitation activities included using several tools for privilege escalation, lateral movement, and credential harvesting. The attackers set up a staging directory on the compromised host, downloaded additional tools like fscan.exe for scanning live hosts, and used sharpdecryptpwd.exe to extract cached credentials from various applications. Mimikatz was also employed to dump Windows credentials used to pivot across the network.
The SLOW#TEMPEST campaign poses significant risks to affected systems. The attackers maintain persistent access through scheduled tasks and elevated privileges. By manipulating the built-in guest user account, they created a powerful backdoor, enabling ongoing access with minimal detection. The campaign's advanced techniques, including undocumented DLL injection and the use of tools like BloodHound for Active Directory reconnaissance, indicate a high level of sophistication.
Insights and Analysis
Securonix's SLOW#TEMPEST campaign analysis emphasizes monitoring unusual activity in common malware staging directories and deploying robust endpoint logging capabilities. Encrypted channels over various ports highlight the need for advanced detection methods to identify and mitigate such threats.
The SLOW#TEMPEST campaign is a serious threat to organizations, particularly those in China. Security teams should remain vigilant and consider implementing the recommended preventative measures, including avoiding downloading files from unsolicited sources, monitoring script-related activity, and enhancing endpoint logging capabilities. By understanding the methods and tools used in this campaign, defenders can better protect their networks from similar attacks in the future.
Preventative Measures:
- Avoid downloading files or attachments from unknown or unsolicited sources.
- Monitor common malware staging directories for unusual script activity.
- Deploy robust endpoint logging capabilities, including process-level logging, for enhanced detection coverage.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
| 123.207.74[.]22 | IP Address | Command and Control (C2) server used in the SLOW#TEMPEST campaign. |
| 123.56.168[.]30 | IP Address | Additional C2 server involved in the campaign. |
| 49.235.152[.]72 | IP Address | Server used for remote connections during the attack. |
| myip.ipip[.]net | Domain | Website probed by attackers to grab the system’s public IP address. |
| 360-1305242994.cos.ap-nanjing.myqcloud[.]com | Domain | Hosting location for payload used in the campaign, associated with Tencent Cloud Object Storage (COS). |
| dui70.dll | File | Malicious DLL file used for Cobalt Strike implant execution. |
| LicensingUI.exe | File | Legitimate Microsoft executable hijacked to sideload a malicious DLL. |
| sharpdecryptpwd.exe | File | Tool used for dumping cached credentials from installed applications. |
MITRE ATT&CK Table
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Valid Accounts: Default Accounts | T1078.001 | Compromising accounts using default or known credentials. |
| Initial Access | Phishing: Spearphishing Attachment | T1566.001 | Delivering malicious ZIP files via phishing emails to initiate the attack. |
| Defense Evasion | Hijack Execution Flow: DLL Search Order Hijacking | T1574.001 | Using DLL hijacking to execute malicious code via a legitimate executable (LicensingUI.exe). |
| Credential Access | OS Credential Dumping | T1003 | Using Mimikatz to dump credentials from the operating system. |
| Credential Access | Credentials from Password Stores | T1555 | Extracting credentials from password stores using sharpdecryptpwd.exe. |
| Discovery | System Information Discovery | T1082 | Gathering detailed information about the system configuration and software. |
| Execution | Command and Scripting Interpreter: PowerShell | T1059.001 | Utilizing PowerShell scripts for execution of malicious code. |
| Execution | Command and Scripting Interpreter: Windows Command Shell | T1059.003 | Using the Windows command shell to execute commands and scripts. |
| Persistence | Scheduled Task/Job | T1053 | Creating scheduled tasks to maintain persistence within the compromised system. |
| Lateral Movement | Remote Services: Remote Desktop Protocol | T1021.001 | Moving laterally across the network using RDP. |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | Exfiltrating data over an encrypted C2 channel. |
References
Comments ()