August 30, 2024 at 02:42AM
Chinese-speaking users are being targeted in a sophisticated cyber espionage campaign called SLOW#TEMPEST, using phishing emails to infect Windows systems with Cobalt Strike payloads. The attackers established persistence within systems, conducted reconnaissance, and set up remote access, allowing them to move laterally across networks undetected. The campaign appears to be orchestrated by a skilled threat actor with experience in advanced exploitation frameworks.
From the meeting notes on Aug 30, 2024, the discussion centered on a highly sophisticated cyber espionage campaign targeting Chinese-speaking users. The campaign, named SLOW#TEMPEST, leverages phishing emails with malicious ZIP files containing deceptive LNK files masquerading as legitimate Microsoft Word documents.
Upon unpacking the ZIP file, the infection chain is initiated, leading to the deployment of the post-exploitation toolkit, notably incorporating Cobalt Strike payloads. The attackers established lateral movement within the compromised systems and maintained undetected persistence for over two weeks, demonstrating advanced capabilities in privilege escalation, lateral movement via Remote Desktop Protocol (RDP), password extraction utilizing Mimikatz, and post-exploitation activities including reconnaissance and data exfiltration.
The campaign demonstrated a strategic approach to compromise, persistence, and network traversal, utilizing advanced exploitation frameworks like Cobalt Strike. Furthermore, all Command and Control (C2) servers associated with this campaign are hosted in China by Shenzhen Tencent Computer Systems Company Limited, indicating strong connections to China.
Although the threat actor behind this campaign has not been directly attributed to any known APT (Advanced Persistent Threat) groups, their expertise in employing advanced exploitation frameworks suggests the involvement of a seasoned threat actor.
The content of the meeting/notes provides insight into the sophistication and complexity of the cyber espionage campaign, detailing the methodical and strategic approach employed by the threat actor.