Organizations across China are having their Windows systems targeted with Cobalt Strike payloads as part of the new stealthy SLOW#TEMPEST attack campaign, according to The Hacker News.
Threat actors distributed phishing emails with malicious ZIP files containing a Word-spoofing LNK file purporting to be a list of individuals who committed remote control software regulation violations, which facilitates the deployment of a Microsoft binary and a DLL file concealing Cobalt Strike, a report from Securonix showed. Aside from enabling covert and persistent host access that allowed further payload deployment, Cobalt Strike execution also permitted privilege escalation, lateral movement via Remote Desktop Protocol, and credential exfiltration via the Mimikatz tool, said the report. "Although there was no solid evidence linking this attack to any known APT groups, it is likely orchestrated by a seasoned threat actor who had experience using advanced exploitation frameworks such as Cobalt Strike and a wide range of other post-exploitation tools," said researchers.
