A highly organized and sophisticated cyber attack campaign, codenamed SLOW#TEMPEST, is targeting Chinese-speaking users. Researchers from Securonix have uncovered this campaign, which likely leverages phishing emails to deliver Cobalt Strike payloads, compromising Windows systems.
The campaign begins with malicious ZIP files containing a disguised Windows shortcut (LNK) file named "违规远程控制软件人员名单.docx.lnk" (translated to "List of people who violated the remote control software regulations"). When unpacked, these files activate an infection chain that deploys the Cobalt Strike post-exploitation toolkit on compromised systems.
The LNK file acts as a decoy, leading to the execution of a legitimate Microsoft binary, "LicensingUI.exe," through DLL side-loading. This method involves loading a rogue DLL file named "dui70.dll" located in a hidden directory within the ZIP archive, marking the first known instance of DLL side-loading using LicensingUI.exe. The rogue DLL serves as a Cobalt Strike implant, establishing persistent and stealthy access to the infected system by connecting to a remote server at "123.207.74[.]22".
Phishing and Social Engineering: The attack likely initiates through phishing emails, tricking victims into opening the malicious ZIP file.
DLL Side-Loading: The attackers use DLL side-loading with LicensingUI.exe to load the Cobalt Strike implant.
Persistence and Stealth: The campaign sets up a scheduled task to run a malicious executable, "lld.exe," periodically. This executable is designed to run arbitrary shellcode directly in memory, minimizing disk footprints and evading detection.
Privilege Escalation: The attackers exploit the built-in Guest user account by elevating its privileges, adding it to the administrative group, and assigning a new password. This tactic allows them to maintain access to the system with minimal detection, as Guest accounts are typically less monitored.
Lateral Movement and Network Penetration: The threat actors utilize the Remote Desktop Protocol (RDP) and credentials extracted using the Mimikatz tool to move laterally within the network. They establish remote connections to their command-and-control (C2) server from each compromised machine.
Reconnaissance and Data Exfiltration: The post-exploitation phase involves executing various enumeration commands and using the BloodHound tool for Active Directory reconnaissance. The attackers then exfiltrate the gathered information in ZIP file format.
While no solid evidence links SLOW#TEMPEST to any known Advanced Persistent Threat (APT) group, the sophistication and methodology of the campaign suggest it is orchestrated by a seasoned threat actor skilled in using advanced exploitation frameworks like Cobalt Strike. The involvement of Chinese infrastructure and artifacts further points to a connection with Chinese cyber operations.
Organizations and individuals can take the following steps to defend against similar attacks:
The SLOW#TEMPEST campaign highlights the increasing sophistication of cyber threats targeting specific language groups and regions. By employing phishing, DLL side-loading, and clever privilege escalation techniques, the attackers could maintain a low profile while compromising critical systems. Ongoing vigilance and proactive security measures are essential to mitigate such threats.
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067