Cybersecurity researchers from Securonix discovered a new threat campaign that included phishing, DLL sideloading, and Cobalt Strike beacons, all using Tencent’s infrastructure, and targeting Chinese entities. Tencent is the largest and most popular cloud service provider in China.
Apparently, the group (which has not been identified and doesn’t seem to resemble any known organization) was sending out phishing emails with attachments discussing “personnel lists” and “people who violated remote control software regulations”.
Given the topics of the phishing files, Securonix speculates that the attackers might have been targeting the government sector, or “specific Chinese related businesses”, since these “would employ individuals who follow ‘remote control software regulations’”.
SLOW#TEMPEST
Among the distributed files were UI.exe, and dui70.dll. The executable file is actually LicensingUI.exe – a legitimate tool that displays information about software licenses and activation. The .DLL file, on the other hand, is an old and vulnerable dynamic link library file that, through sideloading, allows the crook to deploy Cobalt Strike.
“The legitimate file is designed to import several legitimate DLL files, one of which is dui70.dll and should normally reside in C:WindowsSystem32. However, thanks to a DLL path traversal vulnerability, any DLL containing the same name can be sideloaded upon the execution of the renamed UI.exe by the LNK file,” the researchers said.
Cobalt Strike is a cybersecurity tool used for simulating advanced persistent threats (APTs) in penetration testing, but it is also exploited by malicious actors for command and control operations. In this scenario, it was used to deliver all kinds of malware, including a port forwarding tool, a network reconnaissance tool, a scanner used in red teaming, and many more.
All IP addresses used in the attack were hosted at Tencent, China’s #1 cloud service provider, the researchers added. Furthermore, since the attackers were lurking for more than two weeks before making any moves, the researchers dubbed the attack SLOW#TEMPEST.
Via The Register