FOCUS MODE
EXTRACT IOC
Threat Research

SLOW#TEMPEST: Explaining the TTPs of the Cyber Espionage Campaign

Picussecurity
SLOW#TEMPEST: Explaining the TTPs of the Cyber Espionage Campaign
SLOW#TEMPEST is a covert cyber espionage group that emerged in 2024, renowned for its stealthy infiltration tactics using sophisticated phishing and malware techniques. Their operations primarily target organizations in Chinese-speaking regions, employing methods like DLL hijacking and credential harvesting. This article analyzes their tactics, providing insights into their operational methods and defense strategies. Affected: cyber security, organizations in Chinese-speaking regions

Keypoints :

  • SLOW#TEMPEST specializes in cyber espionage with a focus on Chinese-speaking regions.
  • They use advanced phishing tactics involving malicious ZIP files to gain initial access.
  • The group employs DLL hijacking to deploy Cobalt Strike implants on compromised systems.
  • They implement persistent backdoors by creating local guest accounts and configuring system services.
  • Credential harvesting is conducted using tools like Mimikatz for lateral movement across networks.
  • Defense strategies include deploying advanced EDR solutions and employing a Zero Trust model.
  • Regular security control validations are recommended to shield against evolving threats.

MITRE Techniques :

  • TA0001: Initial Access
    T1566.001 – Phishing: Spearphishing Attachment: Distribution of malicious ZIP files via phishing emails containing deceptive links.
  • TA0003: Persistence
    T1136.001 – Create Account: Local Account: Adding guest accounts to retain access and facilitate covert operations.
  • TA0003: Persistence
    T1569.002 – System Services: Service Execution: Design and configuration of new system services for persistent payload execution.
  • TA0005: Defense Evasion
    T1574.002 – Hijack Execution Flow: DLL Side-Loading: Exploiting DLL vulnerabilities for covert control.
  • TA0005: Defense Evasion
    T1055.001 – Process Injection: Dynamic-link Library Injection: Injecting shellcode into legitimate processes.
  • TA0005: Defense Evasion
    T1070.001 – Indicator Removal: Clear Windows Event Logs: Using wevtutil to erase PowerShell logs.
  • TA0006: Credential Access
    SLO#TEMPEST uses Mimikatz for credential harvesting and privilege escalation.
  • TA0007: Discovery
    T1087 – Account Discovery: Using BloodHound for Active Directory reconnaissance.
  • TA0008: Lateral Movement
    T1021.001 – Remote Service: Remote Desktop Protocol: Disabling security features for lateral access.
  • TA0009: Collection
    T1056 – Input Capture: Utilizing the SharpBlock tool to capture sensitive input data.

Indicator of Compromise :

  • [Executable] %TMP%mimikatz22020220919x64.exe
  • [Command] cmd.exe /c ipconfig /all
  • [Command] cmd.exe /c net.exe user /domain
  • [Executable] “%TMP%SharpBlock.exe”
  • [Command] wevtutil.exe cl “windows powershell”

Full Story: https://www.picussecurity.com/resource/blog/slow-tempest-cyber-espionage-ttp-analysis

Tags: PRIVILEGE, IMPACT, PAYLOAD, TOOL, LATERAL MOVEMENT, ACTIVE DIRECTORY, INITIAL ACCESS, BACKDOOR