A new and highly sophisticated cyberattack campaign, identified as SLOW#TEMPEST, is targeting Chinese-speaking businesses with advanced Cobalt Strike payloads. Researchers from Securonix have uncovered that this campaign initiates with phishing emails containing malicious ZIP files. Once unpacked, these files trigger an infection chain on Windows systems, deploying a post-exploitation toolkit designed to maintain stealthy access. The attack begins with a disguised Windows shortcut file, which masquerades as a Microsoft Word document, leading to the execution of a rogue DLL through DLL side-loading.
The rogue DLL, named “dui70.dll,” acts as a Cobalt Strike implant, providing attackers with persistent and covert access to the infected systems. This access allows them to establish communication with a remote server, “123.207.74[.]22,” enabling further activities such as deploying additional payloads, conducting reconnaissance, and setting up proxied connections. Notably, this attack marks the first reported use of DLL side-loading via LicensingUI.exe, adding a new dimension to the malware landscape.
To evade detection, the attackers elevate the privileges of the built-in Guest user account, transforming it into a powerful access point by adding it to the administrative group and assigning a new password. This technique helps the attackers maintain access with minimal oversight, as the Guest account is typically less monitored. The attackers then move laterally across the network using Remote Desktop Protocol (RDP) and Mimikatz to extract credentials, setting up remote connections to their command-and-control (C2) servers from each compromised machine.
The campaign’s connections to China are reinforced by the fact that all C2 servers are hosted by Shenzhen Tencent Computer Systems Company Limited, and many of the campaign’s artifacts originate from China. Although no direct link to known APT groups has been established, the complexity of the campaign suggests it is orchestrated by experienced threat actors skilled in advanced exploitation frameworks and post-exploitation tools. This methodical approach to initial compromise, persistence, and lateral movement highlights the sophisticated nature of the cyberattack.
Reference: