Chinese organizations are being hit by Cobalt Strike malware from within China
Tencent is being used to drop malware to targets in the country
Cybersecurity researchers from Securonix discovered a new threat campaign that included phishing, DLL sideloading, and Cobalt Strike beacons, all using Tencent’s infrastructure, and targeting Chinese entities. Tencent is the largest and most popular cloud service provider in China.
Apparently, the group (which has not been identified and doesn’t seem to resemble any known organization) was sending out phishing emails with attachments discussing “personnel lists” and “people who violated remote control software regulations”.
Given the topics of the phishing files, Securonix speculates that the attackers might have been targeting the government sector, or “specific Chinese related businesses”, since these “would employ individuals who follow ‘remote control software regulations’”.
SLOW#TEMPEST
Among the distributed files were UI.exe, and dui70.dll. The executable file is actually LicensingUI.exe - a legitimate tool that displays information about software licenses and activation. The .DLL file, on the other hand, is an old and vulnerable dynamic link library file that, through sideloading, allows the crook to deploy Cobalt Strike.
"The legitimate file is designed to import several legitimate DLL files, one of which is dui70.dll and should normally reside in C:\Windows\System32. However, thanks to a DLL path traversal vulnerability, any DLL containing the same name can be sideloaded upon the execution of the renamed UI.exe by the LNK file," the researchers said.
Cobalt Strike is a cybersecurity tool used for simulating advanced persistent threats (APTs) in penetration testing, but it is also exploited by malicious actors for command and control operations. In this scenario, it was used to deliver all kinds of malware, including a port forwarding tool, a network reconnaissance tool, a scanner used in red teaming, and many more.
All IP addresses used in the attack were hosted at Tencent, China’s #1 cloud service provider, the researchers added. Furthermore, since the attackers were lurking for more than two weeks before making any moves, the researchers dubbed the attack SLOW#TEMPEST.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Via The Register
More from TechRadar Pro
- Chinese hackers target Mac users with boosted Macma malware
- Here's a list of the best firewall software around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.