ClickCease Cobalt Strike Attack: Threat Actors Leverage Phishing Emails - TuxCare

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Cobalt Strike Attack: Threat Actors Leverage Phishing Emails

Wajahat Raja

September 9, 2024 - TuxCare expert team

In the cybercrime landscape, Chinese users have been targeted with a new Cobalt Strike attack. Unidentified threat actors behind the campaign leverage phishing email for infecting Windows systems with the payload. In this article, we’ll determine how such an attack plays out and will go into details pertaining to the attack arsenal. Let’s begin!

New Cobalt Strike Attack Details

The new Cobalt Strike attack campaign has been codenamed SLOW#TEMPEST. As of now it has not been attributed to any known threat actors. The available details entail that the Cobalt Strike attack starts with malicious ZIP files. When these files are unpacked, they activate the infection chain.

Reports claim that this triggers the deployment of the post-exploitation toolkit on a targeted and compromised system. The attack arsenal also consists of a Windows shortcut (LNK) file. It’s essential to know that this file disguises itself as a Microsoft Word file named “违规远程控制软件人员名单.docx.lnk.” The file name, when translated into English, means “List of people who violated the remote control software regulations.” 

Researchers have pointed out the fact that the targets of the new Cobalt Strike attack could be Chinese related government or business sectors. Such an assumption stems from the language used in the lure files and the fact that individuals in both these sectors are likely to adhere to the “remote control software regulations.”

Phishing Attacks On Windows System

As part of the phishing attack, the LNK file acts as a channel used for installing “LicensingUI.exe,” a legitimate Windows binary that employs DLL side loading. The file then executes a rogue DLL named “dui70.dll” and helps threat actors maintain persistence and stealth throughout the attack.

The DLL file is also responsible for developing contact with a remote server. Once the contact has been established, hackers can use the remote access for activities that include deploying additional payloads and developing proxy connections. The new Cobalt Strike attack is also known for setting up a scheduled task to execute “lld.exe.”

This is a malicious file that can run an arbitrary shellcode in memory and leave a minimal footprint on the disk. Providing further insights into the attacks, researchers have stated that:

“The attackers further enabled themselves to hide in the weeds in compromised systems by manually elevating the privileges of the built-in Guest user account.

This account, typically disabled and minimally privileged, was transformed into a powerful access point by adding it to the critical administrative group and assigning it a new password. 

This backdoor allows them to maintain access to the system with minimal detection, as the Guest account is often not monitored as closely as other user accounts.”

Advanced Post-Exploitation Tools

After a system has been compromised, the Cobalt Strike threat actor moves laterally across the network using the Remote Desktop Protocol (RDP). Required credentials for any lateral movements are acquired using the Mimikatz password extraction tool.

During the post-exploitation phase, several enumeration commands and the BloodHound tool are also used for active directory reconnaissance. Commenting on the attack, researchers have stated that:

“The campaign’s complexity is evident in its methodical approach to initial compromise, persistence, privilege escalation, and lateral movement across the network.”

Conclusion

The SLOW#TEMPEST, Cobalt Strike attack, highlights the evolving tactics of threat actors leveraging phishing emails and advanced post-exploitation tools. By disguising malicious files, elevating privileges, and maintaining stealth, the attackers demonstrate a methodical approach to infiltrate targeted systems which emphasizes the need for heightened vigilance and robust cybersecurity measures against such sophisticated threats.

The sources for this piece include articles in The Hacker News and TechNadu.

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started

Mail

Join

4,500

Linux & Open Source
Professionals!

Subscribe to
our newsletter