Page Loader
Summarize
China targeted by 'SlowTempest' espionage cyberattacks, critical infrastructure at risk
Tencent cloud services used in phishing attack

China targeted by 'SlowTempest' espionage cyberattacks, critical infrastructure at risk

Sep 02, 2024
02:07 pm

What's the story

Cybersecurity researchers at Securonix have uncovered a sophisticated espionage campaign dubbed "SlowTempest" targeting organizations within China. The campaign, leveraging Tencent's cloud services, appears to be focused on gaining access to critical infrastructure, potentially for espionage, data exfiltration, or even sabotage. The attack primarily targets Chinese-speaking users with Cobalt Strike payloads, likely delivered through deceptive emails.

Stealth tactics

Attackers remain undetected for over two weeks

The attackers behind this campaign have demonstrated significant stealth capabilities, remaining undetected within the targeted systems for more than two weeks. The origin and attack vector of this operation remain unknown. However, it has been established that the attack begins with phishing emails containing compressed Zip files titled titled "20240739人员名单信息.zip" - which translates to "Personnel list information."

Target identification

Phishing emails target specific Chinese sectors

The phishing emails used in this attack appear to target specific Chinese business or government sectors. This is suggested by the filenames used in the campaign, which indicate a focus on entities employing individuals who adhere to 'remote control software regulations.' Upon opening these deceptive files, code is executed from within nested directories referencing "MACOS."

Exploitation technique

Attackers exploit DLL path traversal vulnerability

The attack involves a pair of files named dui70.dll and UI.exe, hidden within several directories. The latter file is a renamed version of a legitimate Windows executable named LicensingUI.exe. The attackers exploit a DLL path traversal vulnerability to sideload any DLL with the same name upon execution of the renamed UI.exe by the LNK file. This technique appears to be new as no previous reports involving LicensingUI.exe have been identified.

Total control

Attackers gain total control over host

Once the UI.exe is executed, a malicious DLL that serves as an implant for the notorious Cobalt Strike attack toolkit injects itself into the Windows binary "runonce.exe." This action grants the attackers complete control over a host. Following this, they deploy several other pieces of malware to further their objectives.

Persistent access

Attackers establish persistent access in victim networks

The attackers have been observed establishing persistent access within victim networks, and moving laterally using remote desktop protocol. Their targets include information on Active Directory configuration and public IP addresses. All the IP addresses used in this attack were hosted at Tencent, including its cloud object storage service. The campaign has been named "SlowTempest" due to the attacker's patience and persistence in achieving their goals.