Cybersecurity researchers at Securonix discovered a new threat campaign involving phishing, DLL sideloading, and Cobalt Strike beacons, all leveraging Tencent’s infrastructure and targeting Chinese entities. Tencent is the largest and most popular cloud service provider in China.
Apparently, the group (which has not been identified and does not appear to be a known organization) sent out phishing emails with attachments discussing “employee lists” and “people who had violated remote control software regulations.”
Given the subject matter of the phishing files, Securonix suspects the attackers may have targeted the government sector or “specific Chinese companies” as they “would employ individuals who adhere to the ‘remote control software regulations’”.
SLOW#TEMPEST
Among the distributed files were UI.exe and dui70.dll. The executable is actually LicensingUI.exe – a legitimate tool that displays information about software licensing and activation. The .DLL file, on the other hand, is an old and vulnerable dynamic link library file that, through sideloading, allows the crook to deploy Cobalt Strike.
“The legitimate file is designed to import multiple legitimate DLL files, one of which is dui70.dll and should normally be located in C:WindowsSystem32. However, a DLL path traversal vulnerability allows any DLL of the same name to be sideloaded when executing the renamed UI.exe by the LNK file,” the researchers said.
Cobalt Strike is a cybersecurity tool used to simulate advanced persistent threats (APTs) in penetration testing, but it has also been abused by malicious actors for command and control operations. In this scenario, it was used to deliver a variety of malware, including a port forwarding tool, a network reconnaissance tool, a scanner used in red teaming, and more.
All IP addresses used in the attack were hosted by Tencent, China’s #1 cloud service provider, the researchers added. Furthermore, since the attackers lurked for more than two weeks before taking any action, the researchers dubbed the attack SLOW#TEMPEST.
Via The register