Securonix cybersecurity researchers discovered a new threat campaign involving phishing, DLL side-loading, and Cobalt Strike beacons, all using Tencent’s infrastructure and targeting Chinese entities. Tencent is China’s largest and most popular cloud services provider.
The group (which has not been identified and does not appear to resemble any known organization) was reportedly sending phishing emails with attachments that talked about “staff lists” and “people violating remote control software regulations.”
Given the themes of the phishing files, Securonix speculates that the attackers might have been targeting the government sector or “specific China-related companies” as these “employ individuals who follow ‘remote control software regulations.'”
SLOW#STORM
Among the distributed files are UI.exe and dui70.dll. The executable file is actually LicensingUI.exe, a legitimate tool that displays information about software licensing and activation. The .DLL file, on the other hand, is an old and vulnerable dynamic link library file that, through local installation, allows the criminal to deploy Cobalt Strike.
“The legitimate file is designed to import multiple legitimate DLL files, one of which is dui70.dll and should normally reside in C:WindowsSystem32. However, thanks to a DLL path traversal vulnerability, any DLLs containing the same name can be transferred when executing the UI.exe renamed by the LNK file,” the researchers said.
Cobalt Strike is a cybersecurity tool used to simulate advanced persistent threats (APTs) in penetration testing, but it is also used by malicious actors for command and control operations. In this scenario, it was used to distribute all kinds of malware, including a port forwarding tool, a network reconnaissance tool, a scanner used in red teams, and many more.
All IP addresses used in the attack were hosted by Tencent, China’s number one cloud services provider, the researchers added. Moreover, since the attackers lurked for more than two weeks before making any move, the researchers dubbed the attack SLOW#TEMPEST.
Through The Registry
