Overview
The SLOW#TEMPEST campaign represents a sophisticated and stealthy cyberattack targeting Chinese-speaking users with a blend of advanced techniques and evasive tactics. Discovered by the Securonix Threat Research team, the campaign relies on distributing malicious ZIP files to deliver Cobalt Strike payloads, likely through phishing emails. With carefully crafted lures written in Chinese, the attackers aim to exploit their targets’ familiarity with the language and context, suggesting a deliberate focus on business and government sectors in China. The operation’s reliance on Chinese-hosted command and control (C2) infrastructure underscores its regional specificity, though the exact origins of the threat actors remain inconclusive.
Central to the campaign is the use of DLL sideloading via legitimate Windows executables, a tactic that enables the attackers to execute
Cobalt Strike implants stealthily. By embedding malicious LNK files disguised as innocuous documents within ZIP archives, the attackers bypass email-based antivirus filters and trick victims into initiating the infection chain. The deployment of Cobalt Strike implants grants the threat actors a foothold in compromised systems, facilitating privilege escalation, lateral movement, and persistence over extended periods—often exceeding two weeks.
Targets
Individuals
How they operate
Initial Infection Vector: Malicious ZIP Files
The campaign begins with phishing emails containing ZIP file attachments. These archives house weaponized LNK (Windows Shortcut) files, disguised as innocuous documents or images, designed to trick users into execution. The LNK files are configured to invoke legitimate Windows utilities, such as regsvr32.exe or mshta.exe, to sideload malicious DLLs or execute PowerShell commands that initiate the download and execution of Cobalt Strike payloads. This use of living-off-the-land binaries (LOLBins) aids in bypassing conventional antivirus and endpoint detection mechanisms.
DLL Sideloading for Cobalt Strike Deployment
A critical aspect of the SLOW#TEMPEST campaign is its reliance on DLL sideloading. Legitimate executables, often associated with trusted Windows processes, are bundled with malicious DLLs in the same directory. When the executable runs, it inadvertently loads the malicious DLL, executing its code in the context of the trusted process. This technique effectively masks malicious activity and complicates detection, as the executing process appears benign to monitoring tools. The attackers use this to deploy Cobalt Strike beacons, providing them with a foothold and remote control over compromised systems.
Post-Exploitation Activities and Tools
Once inside the target environment, the attackers conduct extensive reconnaissance to identify valuable data and resources. Tools such as AdFind are employed for Active Directory enumeration, while custom scripts and network scanners are used to map the internal network. For credential harvesting, attackers deploy utilities like Mimikatz and other bespoke tools capable of extracting sensitive information from memory and stored credentials.
To maintain access, the campaign utilizes multiple persistence mechanisms, including scheduled tasks and the creation of new user accounts with elevated privileges. In some cases, typically disabled accounts such as the default administrator account are re-enabled and given new passwords for backdoor access. These manual interventions highlight the attackers’ hands-on approach, allowing them to tailor their actions to the specific environment they are targeting.
Command and Control Communication
Cobalt Strike beacons established during the initial compromise communicate with command and control (C2) servers hosted on infrastructure within China. The attackers take additional steps to obfuscate traffic, such as using HTTPS encryption and domain fronting techniques. These measures complicate network-level detection and impede response efforts. The choice of localized C2 servers suggests a deliberate focus on blending into the regional traffic and avoiding scrutiny from international monitoring efforts.
Implications and Mitigation
The SLOW#TEMPEST campaign demonstrates the growing sophistication of cyberattacks, combining technical ingenuity with strategic targeting. Organizations must adopt a multi-layered defense strategy, incorporating robust endpoint detection, behavioral analysis, and proactive threat hunting to identify anomalies indicative of such campaigns. Enhanced user awareness and training can also mitigate the risk posed by social engineering tactics central to the initial infection vector.
By dissecting the technical intricacies of SLOW#TEMPEST, this analysis sheds light on the evolving nature of cyber threats and the importance of adaptive defensive measures. As threat actors continue to refine their tactics, staying informed and vigilant remains paramount for mitigating risks in an increasingly complex cybersecurity landscape.
References:
