Operation Cobalt Whisper is a SEQRITE-identified cyber-espionage campaign targeting Pakistan’s Defense Sector and Hong Kong researchers, employing decoy documents to lure victims and LNK/VBScript-delivered Cobalt Strike beacons for post-exploitation. The operation comprises multiple infection chains (18 in Hong Kong, 2 in Pakistan) and uses consistent naming and configurations across campaigns to achieve credentialed access and data exfiltration. #OperationCobaltWhisper #CobaltStrike #LNK #VBScript #HongKong #Pakistan #SEQRITE
Keypoints
- Targeted regions include the Defense Sector in Pakistan and researchers in Hong Kong.
- Malicious LNK files and obfuscated VBScript are used to deploy the Cobalt Strike implant.
- Over 20 infection chains identified: 18 targeting Hong Kong and 2 targeting Pakistan, with decoy documents tied to electrotechnical societies.
- Cobalt Strike is the primary post-exploitation tool for beacon execution and data access.
- A two-stage infection chain exists: LNK/VBScript delivery followed by Cobalt Strike beacon execution.
- Campaigns exhibit consistent naming conventions and configurations across multiple samples.
- Protection guidance includes avoiding unknown links, updating antivirus, and enabling multi-factor authentication.
MITRE Techniques
- [T1566.001] Phishing: Spear phishing Attachment – Malicious RAR archive containing decoy documents and LNK files. ‘Malicious RAR archive containing decoy documents and LNK files.’
- [T1204.002] User Execution: Malicious File – Execution of malicious LNK files leading to VBScript execution. ‘Execution of malicious LNK files leading to VBScript execution.’
- [T1059.005] Command and Scripting Interpreter: Visual Basic – VBScript used to decode and execute the Cobalt Strike beacon. ‘VBScript used to decode and execute the Cobalt Strike beacon.’
- [T1053.005] Scheduled Task – Creation of a scheduled task to maintain persistence of the Cobalt Strike implant. ‘Creation of a scheduled task to maintain persistence of the Cobalt Strike implant.’
- [T1055.002] Process Injection: Portable Executable Injection – Renaming and executing the Cobalt Strike beacon as a legitimate process. ‘Renaming and executing the Cobalt Strike beacon as a legitimate process.’
- [T1033] System Owner/User Discovery – Identification of user and system information for targeting. ‘Identification of user and system information for targeting.’
- [T1071.001] Application Layer Protocol: Web Protocols – Cobalt Strike beacon communicates with command-and-control servers using web protocols. ‘Cobalt Strike beacon communicates with command-and-control servers using web protocols.’
Indicators of Compromise
- [MD5 (Archive)] Context – 86543a984e604430fb7685a1e707b2c4, 95557088474250a9749b958c3935dee4, and 2 more hashes
- [Filename (Archive/Decoys)] Context – subscription.db, 附件2:《中国电工技术学会科学技术奖励办法》(2024年4月修订).pdf, and 2 more decoy documents
- [MD5 (LNK)] Context – 22c07c76020f9311385cfaa97a2d6adb, 7a494f7448bc350bb46fb7f21450d1d9
- [IP] Context – 139.155.190..84, 43.137.69.76, and 6 more
- [ASN] Context – AS45090 (Shenzhen Tencent Computer Systems Company Limited)
Read more: https://www.seqrite.com/blog/operation-cobalt-whisper-targets-industries-hong-kong-pakistan/