Securonix uncovers sophisticated attack using Tencent cloud to deploy cobalt strike Malware
A covert phishing campaign leveraging Tencent’s cloud services has been discovered, targeting Chinese-speaking users with Cobalt Strike malware. The campaign, identified by US-based cybersecurity firm Securonix, has reportedly infiltrated networks in China, remaining undetected for more than two weeks.
Securonix researchers Den Iuzvyk and Tim Peck revealed that the attack starts with phishing emails containing compressed Zip files titled “Personnel list information.” These files unpack to reveal a link named “List of people who violated the remote control software regulations.” Clicking on this link triggers the download of a malicious file disguised as a legitimate Windows executable, LicensingUI.exe.
This executable exploits a DLL sideloading vulnerability, allowing the attackers to deploy Cobalt Strike malware, which then gains control over the victim’s system. The attackers use a series of additional tools to further compromise the network, including port scanners and credential dumpers.
Securonix identified that all IP addresses linked to the attack were hosted on Tencent’s cloud infrastructure, including its object storage service. While public clouds often face the challenge of being used by malicious actors, the Chinese government is known for holding its tech giants accountable when local internet security is compromised.
The security firm has dubbed this campaign SLOW#TEMPEST, citing the attackers’ ability to maintain persistent access in compromised networks. While the origin of the attackers remains unclear, the sophistication of the operation suggests it was carried out by a seasoned threat actor.
Despite the complexity and sophistication of the campaign, Securonix has not been able to link it to any known Advanced Persistent Threat (APT) groups. While many APTs are associated with China, Russia, or North Korea, the exact origin of this attack remains unclear. However, given the nature of the targeted information, it is possible that China’s adversaries could also be involved.
