Novel attack on Windows spotted in phishing campaign run from and targeting China

Chinese web champ Tencent's cloud is being used by unknown attackers as part of a phishing campaign that aims to achieve persistent network access at Chinese entities.

US-based threat detection, investigation and response tools vendor Securonix last week claimed to have "uncovered a covert campaign targeting Chinese-speaking users with Cobalt Strike payloads likely delivered through phishing emails. The attackers managed to move laterally, establish persistence and remain undetected within the systems for more than two weeks."

Securonix threat researchers Den Iuzvyk and Tim Peck wrote that they could not determine the origin of the attack, nor the attack vector. But the pair were able to conclude that it starts with phishing mails that carry compressed Zip files titled "20240739人员名单信息.zip" – which translates to "Personnel list information."

Clicking on that file unpacks an archive that includes a file link titled "违规远程控制软件人员名单.docx.lnk" – "List of people who violated the remote control software regulations"."

Iuzvyk and Peck suggested that the filenames mean the campaign likely targets "specific Chinese related business or government sectors … as they would both employ individuals who follow 'remote control software regulations'."

Whatever the motive, clicking on that link leads to execution of code that runs from within nested directories with names that reference "MACOS."

Several directories down lurk pair of files named dui70.dll and UI.exe.

The latter is a re-named version of a legit Windows executable named LicensingUI.exe – the tool that informs users about software licensing and activation.

"The legitimate file is designed to import several legitimate DLL files, one of which is dui70.dll and should normally reside in C:\Windows\System32. However, thanks to a DLL path traversal vulnerability, any DLL containing the same name can be sideloaded upon the execution of the renamed UI.exe by the LNK file," Securonix's researchers wrote.

The pair could not find reports of a DLL sideloading or hijacking technique involving LicensingUI.exe, so perhaps this is a new tactic.

Once the UI.exe runs, a malicious DLL that is actually an implant for the notorious Cobalt Strike attack toolkit gets to work and injects itself into the Windows binary "runonce.exe." That executable gives the attackers total control over a host.

• Chinese boffins advocate nuking nearby asteroids – it’s the only way to be sure
• Chinese broadband satellites may be Beijing's flying spying censors, think tank warns
• China AI devs use cloud services to game US chip sanctions
• China's top Office clone copies Microsoft again – with an inconvenient outage

Whoever runs this campaign then deploys several other pieces of nastyware, namely:

• fpr.exe – Unknown executable;
• iox.exe – A tool for port forwarding and setting up proxied connections;
• fscan.exe – A well-known scanner in red teaming for identifying live hosts and open ports. The output file is "result.txt";
• netspy.exe – A network reconnaissance tool used for capturing network traffic or scanning for network vulnerabilities. The log files are "netspy.log" and "alive.txt";
• lld.exe – A shellcode loader binary which in our case loaded and executed raw shellcode saved in C:/Windows/Temp/tmp/tmp.log;
• xxx.txt – Same as tmp.log before it was renamed;
• tmp.log – A file containing shellcode to be executed by lld.exe;
• sharpdecryptpwd.exe – A command-line based utility that collects and dumps cached credentials from installed applications such as Navicat, TeamViewer, FileZilla, WinSCP and Xmanager;
• pvefindaduser.exe – Used for Windows Active Directory (AD) user enumeration;
• new text document.txt – the researchers were not able to capture this file and its action is unknown;
• gogo_windows_amd64.exe – Seems related to an open source project "Nemo" which automates enumeration tools such as Nmap, Massscan and many others. Outputs ".sock.lock" and "output.txt" files.

The above were executed in sequence and produced plenty of info the attackers exfiltrated – presumably to inform other attacks.

Securonix observed the attackers establishing persistent access in victim networks, and moving laterally using remote desktop protocol.

Lifting information on Active Directory configuration is one target, public IP addresses is another.

Securonix's researchers wrote that all the IP addresses they observed as having been used in this attack were hosted at Tencent – including in its cloud object storage service. It's not unusual for public clouds to find they have nasty customers, but China's government does not look kindly upon its tech giants when they fail to safeguard the local internet.

The security vendor has named the campaign it spotted SLOW#TEMPEST because whoever runs it is willing to lurk for a week or two in pursuit of their goals.

Threat researchers Iuzvyk and Peck labelled the attacker "highly organized and sophisticated [and] likely orchestrated by a seasoned threat actor who had experience using advanced exploitation frameworks such as CobaltStrike and a wide range of other post-exploitation tools."

"The campaign's complexity is evident in its methodical approach to initial compromise, persistence, privilege escalation and lateral movement across the network."

But Securonix could not find solid evidence linking this attack to any known APT groups.

Most such groups are thought to be affiliated either with China itself, or Russia, or North Korea.

The latter two nations are among Beijng's closest friends. But of course those who count China as a foe could also be very interested in the kind of info this attack targets. ®