The Register: Novel attack on Windows spotted in phishing campaign run from and targeting China

Source URL: https://www.theregister.com/2024/09/02/securonix_china_slowtempest_campaign/
Source: The Register
Title: Novel attack on Windows spotted in phishing campaign run from and targeting China

Feedly Summary: Resources hosted at Tencent Cloud involved in Cobalt Strike campaign
Chinese web champ Tencent’s cloud is being used by unknown attackers as part of a phishing campaign that aims to achieve persistent network access at Chinese entities.…

AI Summary and Description: Yes

Summary: The text details a sophisticated phishing campaign targeting Chinese entities, utilizing Cobalt Strike payloads for persistent network access. Securonix’s findings highlight the attackers’ organized and methodical approach, which is noteworthy for security professionals focused on threat detection and incident response.

Detailed Description:
This incident underscores the growing concerns around phishing and sophisticated exploitation techniques, particularly within specific geographic regions like China. The campaign’s complexity and methodical nature suggest a high level of threat actor organization and sophistication, which security professionals should be vigilant against. Here are the major points elaborated:

– **Phishing Methodology**: The attackers initiated the breach through phishing emails containing deceptive Zip files.
– The emails had innocuous titles like “20240739人员名单信息.zip” (Personnel list information), designed to entice recipients into opening them.

– **Payload Execution**:
– The unpacked file included a Windows shortcut file that leads to a malicious DLL execution due to a DLL path traversal vulnerability.
– Specifically, the actual executable disguised as a legitimate licensing tool (`LicensingUI.exe`) was compromised to load malicious components.

– **Malicious Tools Deployed**:
– A variety of malware tools were deployed once the attackers gained initial access, including:
– **fpr.exe**: Unknown executable.
– **iox.exe**: Used for port forwarding and proxied connections.
– **fscan.exe**: A red teaming tool for scanning hosts and ports.
– **netspy.exe**: For network reconnaissance and capturing traffic.
– **lld.exe**: A shellcode loader for executing raw shellcode stored in temporary files.
– Other suspicious utilities aimed at credential dumping and Windows Active Directory enumeration.

– **Persistent Access and Lateral Movement**:
– The attackers managed to establish persistent access within victim networks and utilized remote desktop protocol for lateral movement.
– Information extraction included targeting configurations of Active Directory and community-facing public IP addresses.

– **Infrastructure Implications**:
– The use of Tencent’s cloud infrastructure for hosting malicious activities raises concerns about provider vulnerabilities and regulatory scrutiny.

– **Attribution Challenges**:
– Despite the attack’s sophistication, Securonix could not conclusively link the campaign to any known advanced persistent threat (APT) groups, though motives and targets suggest potential geopolitical implications.

– **SLOW#TEMPEST Campaign**:
– The campaign was labeled due to its stealthy and prolonged approach, indicative of a seasoned threat actor’s methodical operating procedures.

For security and compliance professionals, the SLOW#TEMPEST incident serves as a critical reminder of the evolving landscape of cyber threats, especially highlighting the need for enhanced detection strategies and persistent vigilance against sophisticated phishing campaigns.