China targeted by 'SlowTempest' espionage cyberattacks, critical infrastructure at risk
What's the story
Cybersecurity researchers at Securonix have uncovered a sophisticated espionage campaign dubbed "SlowTempest" targeting organizations within China. The campaign, leveraging Tencent's cloud services, appears to be focused on gaining access to critical infrastructure, potentially for espionage, data exfiltration, or even sabotage. The attack primarily targets Chinese-speaking users with Cobalt Strike payloads, likely delivered through deceptive emails.
Stealth tactics
Attackers remain undetected for over two weeks
The attackers behind this campaign have demonstrated significant stealth capabilities, remaining undetected within the targeted systems for more than two weeks. The origin and attack vector of this operation remain unknown. However, it has been established that the attack begins with phishing emails containing compressed Zip files titled titled "20240739人员名单信息.zip" - which translates to "Personnel list information."
Target identification
Phishing emails target specific Chinese sectors
The phishing emails used in this attack appear to target specific Chinese business or government sectors. This is suggested by the filenames used in the campaign, which indicate a focus on entities employing individuals who adhere to 'remote control software regulations.' Upon opening these deceptive files, code is executed from within nested directories referencing "MACOS."
Exploitation technique
Attackers exploit DLL path traversal vulnerability
The attack involves a pair of files named dui70.dll and UI.exe, hidden within several directories. The latter file is a renamed version of a legitimate Windows executable named LicensingUI.exe. The attackers exploit a DLL path traversal vulnerability to sideload any DLL with the same name upon execution of the renamed UI.exe by the LNK file. This technique appears to be new as no previous reports involving LicensingUI.exe have been identified.
Total control
Attackers gain total control over host
Once the UI.exe is executed, a malicious DLL that serves as an implant for the notorious Cobalt Strike attack toolkit injects itself into the Windows binary "runonce.exe." This action grants the attackers complete control over a host. Following this, they deploy several other pieces of malware to further their objectives.
Persistent access
Attackers establish persistent access in victim networks
The attackers have been observed establishing persistent access within victim networks, and moving laterally using remote desktop protocol. Their targets include information on Active Directory configuration and public IP addresses. All the IP addresses used in this attack were hosted at Tencent, including its cloud object storage service. The campaign has been named "SlowTempest" due to the attacker's patience and persistence in achieving their goals.