Chinese organizations are being hit by Cobalt Strike malware from within China

2 September 2024, 19:48 published

[ad_1]

Cybersecurity researchers from Securonix discovered a new threat campaign that included phishing, DLL sideloading, and Cobalt Strike beacons, all using Tencent’s infrastructure, and targeting Chinese entities. Tencent is the largest and most popular cloud service provider in China.

Apparently, the group (which has not been identified and doesn’t seem to resemble any known organization) was sending out phishing emails with attachments discussing “personnel lists” and “people who violated remote control software regulations”.

Given the topics of the phishing files, Securonix speculates that the attackers might have been targeting the government sector, or “specific Chinese related businesses”, since these “would employ individuals who follow ‘remote control software regulations’”.

SLOW#TEMPEST

Among the distributed files were UI.exe, and dui70.dll. The executable file is actually LicensingUI.exe – a legitimate tool that displays information about software licenses and activation. The .DLL file, on the other hand, is an old and vulnerable dynamic link library file that, through sideloading, allows the crook to deploy Cobalt Strike.

“The legitimate file is designed to import several legitimate DLL files, one of which is dui70.dll and should normally reside in C:\Windows\System32. However, thanks to a DLL path traversal vulnerability, any DLL containing the same name can be sideloaded upon the execution of the renamed UI.exe by the LNK file,” the researchers said.

Cobalt Strike is a cybersecurity tool used for simulating advanced persistent threats (APTs) in penetration testing, but it is also exploited by malicious actors for command and control operations. In this scenario, it was used to deliver all kinds of malware, including a port forwarding tool, a network reconnaissance tool, a scanner used in red teaming, and many more.

All IP addresses used in the attack were hosted at Tencent, China’s #1 cloud service provider, the researchers added. Furthermore, since the attackers were lurking for more than two weeks before making any moves, the researchers dubbed the attack SLOW#TEMPEST.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Via The Register

More from TechRadar Pro

[ad_2]

Source link

0

Joy

0

Cong.

0

Loved

0

Surprised

0

Unliked

0

Mad

Chinese organizations are being hit by Cobalt Strike malware from within China

Comment

Chinese organizations are being hit by Cobalt Strike malware from within China

Write a Reply Cancel

You may be interested

The Galaxy S25 could have genuinely useful AI features that trump Apple Intelligence – including these 5 tricks

Access Denied

Access Denied

I’ve been waiting years for ChatGPT’s new Tasks feature – here’s how I’m planning to use it to organize my life

Access Denied

Wrexham’s new stadium plans get even BIGGER after Ryan Reynolds revealed vision for 55,000-seater ground

150TB SSD modules to go mainstream in 2025, and Micron is getting a slice of that pie

Nvidia abandons the problematic 12VHPWR RTX 4080 power connector with a much longer one for the RTX 5080 FE according to leaked images

Access Denied

Transfer news LIVE: Saudis set to offer Mohamed Salah £65m, Marcus Rashford EXCLUSIVE, Trent Alexander-Arnold TWIST

Chinese organizations are being hit by Cobalt Strike malware from within China

Share This Post

or copy the link

Related News

Write a Reply Cancel

You may be interested