Chinese Organizations Are Being Hit by Cobalt Strike Attacks – The Attacker(s) Might Be Chinese

by
Krishi Chowdhary
from Techreport on (#6QF8J)
mark-kuiper-fP9YnH_hwWc-unsplash-1200x800.jpg
  • A popular cloud service provider in China, Tencent, is being used by unknown threat attackers to launch phishing campaigns.
  • China-based businesses and government sectors are believed to be its primary victims.
  • The origin of the attack and the identity of the attacker are yet to be discovered.

mark-kuiper-fP9YnH_hwWc-unsplash-300x200.jpg

Popular Chinese cloud service provider Tencent Cloud is being used by unknown attackers to launch phishing campaigns and gain network access to Chinese entities.

While it's not uncommon for cloud companies to have their infrastructure exploited by threat attackers, it's a huge deal in China, as the government there takes local internet security very seriously.

The incident was uncovered last week by US-based threat detection service Securonix. Speaking about the attack, security researchers Den Iuzvyk and Tim Peck said The attackers managed to move laterally, establish persistence, and remain undetected within the systems for more than two weeks."

Considering the slow nature of the attack, it has been nicknamed SLOW#TEMPEST. So far, they have been unable to detect the source of the attack and the attacker behind the campaign.

However, since most such groups are affiliated with China, Russia, and North Korea, it's very possible that these attackers are operating from within China. Also, the quality of their work makes it clear that they're highly sophisticated and are probably affiliated with an experienced group/attacker.

More about the Attack Methodology

One thing the authorities have been able to accurately determine is the attack methodology. It starts with phishing emails that contain compressed Zip files titled 20240739.zip" (translates to Personnel list information").

Clicking on this file leads to an archive that contains another file link titled .docx.lnk" (translation: List of people who violated the remote control software regulations).

Next, when the user clicks this link, it triggers a code execution that runs from within nested directories with names that reference MACOS."

Distributed files include UI.exe and dui70.dll. The first file is actually a refurbished version of a legit Windows executable named LicensingUI.exe - a tool that informs users about software licensing and activation.

The purpose of this legitimate file is to help import legitimate DLL files, including dui70.dll. These files are normally supposed to reside in C:\Windows\System32. However, owing to a DLL path traversal vulnerability, any DLL file that has the same name can be sideloaded upon the execution of the renamed UI.exe by the LNK file.

Finally, when the UI.exe file runs, a malicious DLL (which is the implant for the notorious Cobalt Strike attack toolkit) enters into the Windows binary runonce.exe," thus gaining control over the target device.

There are no previous records of DLL sideloading or system exploitation through LicensingUI.exe. So, this is most likely a new technique.

Also, from the unique file names, Peck and Iuzvyk interpreted that the main victims here are China-based businesses and government organizations.

Other Malware Deployed

In addition to the main malware, the attackers have also deployed a number of additional malware such as tmp.log (a log of shellcodes to be executed by lld.exe), iox.exe (a tool for port forwarding and proxied connections), lld.exe (a shellcode loader binary), and many more.

There was another executable named fpr.exe, but its purpose is unknown.

The post Chinese Organizations Are Being Hit by Cobalt Strike Attacks - The Attacker(s) Might Be Chinese appeared first on The Tech Report.

External Content
Source RSS or Atom Feed
Feed Location https://techreport.com/feed/
Feed Title Techreport
Feed Link https://techreport.com/
Reply 0 comments