A sophisticated cyber campaign, dubbed SLOW#TEMPEST, has been uncovered by the Securonix Threat Research team, targeting Chinese-speaking users. The attack, characterized by the deployment of Cobalt Strike payloads, managed to evade detection for over two weeks, demonstrating the malicious actors’ ability to establish persistence and move laterally within compromised systems.
SLOW#TEMPEST primarily targets victims in China, with evidence suggesting that the attack leverages phishing emails to deliver malicious ZIP files. The lure files and the command-and-control (C2) infrastructure are predominantly written in Chinese, reinforcing the likelihood that Chinese users are the primary targets.
The C2 infrastructure is hosted by Shenzhen Tencent Computer Systems Company Limited, another indication that the operation is focused on China.
How it Works
According to Securonix researchers Den Iuzvyk and Tim Peck, the attack begins with the distribution of ZIP files, some of which are password-protected – a technique previously used by Qakbot threat actors to bypass email-based antivirus software. Once the ZIP file is opened, users are presented with a shortcut (.lnk) file disguised as a .docx file, which, when executed, initiates the attack.
The malefactors employed DLL hijacking techniques to execute the Cobalt Strike implant, a well-known tool for covertly controlling infected systems. The implant was loaded via a renamed Microsoft executable, exploiting a DLL path traversal vulnerability—a method that enabled the attackers to maintain stealthy access to the system.
Post-Exploitation Activities
Once inside the target system, the bad actors set up staging directories and downloaded additional tools for reconnaissance and network scanning. These tools, including port scanners and credential dumpers, enabled the attackers to identify live hosts, open ports, and gather sensitive information.
They also established persistence through scheduled tasks and manipulated user accounts to maintain control over the compromised systems.
The gang then used Remote Desktop Protocol (RDP) to move laterally across the network, leveraging stolen credentials obtained through tools like Mimikatz. This allowed them to escalate privileges and compromise additional systems within the network.
The criminals’ use of BloodHound, a tool for Active Directory enumeration, further enabled them to map out the network and identify high-value targets.
Securonix recommendations
According to the researchers, the key indicators of compromise identified in this investigation serve as critical data points for security teams aiming to detect and respond to similar threats in their environments.
By understanding the methods and tools used by cyber criminals in this campaign, defenders can better prepare to protect their networks from these advanced persistent threats.
- As this campaign likely originated from phishing emails, Securonix advises to refrain from downloading files or attachments from external sources, particularly if they were unsolicited. Be cautious with common file types such as zip, rar, iso, and pdf files. During this campaign, password-protected zip files were sometimes used.
- Also, keep an eye on common malware staging directories, especially for script-related activity in world-writable directories. In this campaign, threat actors staged files in subdirectories within C:\ProgramData, C:\Windows\Temp, and the user’s %APPDATA% directory.
- Throughout the various stages of the SLOW#TEMPEST campaign, bad actors used encrypted channels over multiple ports to avoid detection. Therefore, Securonix strongly recommends implementing robust endpoint logging capabilities. This includes using additional process-level logging, such as Sysmon and PowerShell logging, to enhance log detection coverage.
Evolving Tactics
The SLOW#TEMPEST campaign highlights cybercriminals’ evolving tactics. They are increasingly targeting specific regions and industries with tailored attacks. The campaign’s ability to remain undetected for weeks underscores the importance of robust cybersecurity measures, particularly in sectors that are likely to be targeted by such sophisticated operations.
The Securonix Threat Research team says it will continue to monitor the situation and advises entities to remain vigilant against similar attacks.
link