Examining the first decoy document, subscription.db, reveals that it is associated with the Electronic Society of China and focuses on award ceremony nominations. This PDF provides thorough guidance for the nomination and application procedure for the China Electrical Engineering Society Science and Technology Award, as confirmed by the contents and the full decoy. In addition to providing information on technology advancements, assessments, application promotion, and economic and social benefits, it describes the structure, documentation, and particular requirements needed to submit a project.

It is evident from the second document that the two documents have a similar concept. The goal of the award ceremony is also included in this document, along with a description of the different awards and a focus on the general advancement and development of society that these award ceremonies have brought about. All things considered, this lure document acts as a guide for the evaluation procedure, award categories, and much more under transparency in acknowledging the accomplishments in the field of electrical engineering.

After investigating the RAR, it became clear that the LNK's only function is to use the Windows utility wscript.exe to execute the malicious VBScript O365.vbs. For software distribution and installation procedures, the first section of the script simulates a tool for organizing and creating compressed cabinets from an MSI database. After that, the encoded data are stored in a variable called ElZn, which decodes to reveal another VBScript.

The script indicates that it intends to carry out operations in the background in a silent manner by running both the renamed executable and the copied version in the temporary location. Furthermore, it generates a WpnUserService_x64 scheduled job to execute sigverif.exe every 59 minutes. Lastly, after running, the script removes itself.

After investigation, the researchers discovered that the cache.bak file—which was essentially renamed as SigVerifier.exe—is actually a 32-bit executable. After examining the malware, they discovered that it is essentially a Cobalt Strike Beacon attempting to establish a connection with the C2 server. The researchers used a straightforward artifact—the threat actor's constant use of the name ImeBroker.exe for various Cobalt Strike implants across all campaigns—to uncover other campaigns. ImeBroker.exe was once a valid Windows tool for language input, notably for controlling Input Method Editors (IME), which let users enter languages with intricate scripts.

Machine IDs found in several LNKs that were shared by campaigns aimed at Islamabad and Hong Kong were another artifact that was used to track down this threat actor. Unlike the others, which utilize wscript.exe to run the VBS, the ID laptop-g5qalv96 uses cscript.exe to activate the VBS. Two advertisements using lures from Pakistan have been identified based on this ID.

According to the analysis, there is a notable emphasis on engineering professors, researchers, and important organizations in Pakistan, Hong Kong, and Mainland China. This effort deliberately targets professionals in technical domains by using sophisticated lures, such as decoy documents about energy infrastructure, civil aviation, environmental engineering, and electrotechnical societies.

A systematic approach to cyber-espionage is suggested by the actor's heavy use of the post-exploitation tool Cobalt Strike to carry out their operations. The researchers can infer from timestamps that this threat actor has been explicitly targeting this victim group since May 2024 based on the tactics, techniques, and procedures (TTPs) used in the campaign, such as the regular usage of malicious LNKs, VBScript, and Cobalt Strike payloads.

The campaign's size, intricacy, and specially designed lures all point to a deliberate attempt by an APT organization to jeopardize confidential research and intellectual property in these sectors. To be safe, it is advised to take the appropriate precautions such as avoiding clicking on suspicious links or downloading dubious files, updating your software and anti-virus programs, frequently backing up your data, and enabling multi-factor authentication.

Impact

• Cyber Espionage
• Sensitive Data Theft
• Unauthorized Access

Indicators of Compromise

MD5

• 86543a984e604430fb7685a1e707b2c4
• 95557088474250a9749b958c3935dee4
• 95f05674e4cb18a363346b488b67fd38
• b2649134fbf0520222263d73b7e985d8
• b28bb7cabfb12e9bc5b87692b065c83a
• 7728fee377137e83e9bd1c609cc166c0
• dad7d9528e9506ebd0524b3ebd89ddf2
• ae55cb4988f2f45197132631f5a86632
• d73a5c11423923d8a8c483cf6172f7e2
• 473adee7068573fd01862b4bf43979e6
• a02a664f80d9011e38c45762683771c0
• 0a34cc8983fb581a59308135868b75d0
• 5d18995193465c618844949f0ff9c786
• 4c409d7201ec5dccf55a8ea54b0de101
• c3d460ac3a93e86782c2bc374aa5ecd2
• 93eafad827126a9d12fc1d0e6e21aaef
• d29980f768aafdcf102cf1b3741c8a2b
• 1aa1f12d26d3a34265d0b99705bdf283
• 1d109c8bb9e6ad16cd5f6813db39c21a

SHA-256

• 3a00a211df2320b8a2f77e10700db5aa0e8e3a1fde93e0958901e532248dbd4d
• e22243a5b25fbda5647e3a758fc797937544c193dfdecd452ddd461fc8576375
• 704a8897f9bc9585752ca16968e1a34a8c459479f4856d82a2893ea95d6589cc
• 948314e98f63277ad7bfc457f79b1eec022441c4007d6adcae03d834e675f4dc
• d0a69b90acaf9c4be97b0a57a38a9fdf2273239d863fea81e38c45886dceb566
• 1c4a196655404fda0277aebf6b8ca76ea8b38cc647a09bcc4717c7875470fe31
• 4870bd4dd74adf0634948cd3b44816b358c474f39186da3bf82eddcf886d44a3
• df633b6bc23ba2666b129981b1c6f0ac0c18635875dc3a9f3784b1638d0d15de
• c44664414cf33d46c3dc6441f24d86c2b173e8a3e80cfc37ac0a9cb58a267efe
• 2341bb204d9d86b63aec2616c3f8440b53985a0568eff83c97da85afe8fa26f3
• 21175d72e86303bb70a670f5db8dc80fe9121312aadeea3d4a41f252ca6f5451
• b593ee1a10665d71b12d28e2a7977c872180a90f2e8991b9f56bca521529911c
• 9759afc47bad51880e31ab3e7ef0b813497c114f18942dc22f89c996ab1af028
• 6ad932799d5c9a917bfbfc68a132c026793e107da0f0970be849b6c9a73e6182
• bd586dddfb13f727b889f85c1fe5f4a92c9f000755bc650634bbf85ae4ab6b29
• 34c6ce688b19e25ef1d61de02dca6808fa9180e390d18108b2083fd839e3e896
• 63677bd6ede0b7bdac542753b3f11a78af6f220bdaaed364e6cd9a8ec9636a73
• 5810226922c8297d0023e41d2b19d743b73ab20ce087d55ee5897919d6487f58
• 8607f6e7d6a05635aaf6808d1ac1b0c456c837114ff1a00a88e0057f4dbf78ac

SHA-1

• 2d8a2c52e91e77d4b9f57a3dc9aef95369362e00
• 3f23325057e4d4970870c0883a110ef054eb9df9
• e62455a0533981dc0e57248184fd1ec9d373d029
• 7ac38045bc23a0e9a16a043471fb7eedb2c46cc3
• 3d1bd953f5a064e0a36fd16745aeb4ddbb5aa8ea
• bb00ce343f8de2093902d0407635a7852fac5e51
• f4d481fe00a96d648a4ffdfaea877720fbdf444a
• e856828654becfa84edb2d07bd8ceb8df71381a5
• 6f42eba333d6ff3953c98f1df9232b3b890ba297
• 4d4c8e276a1e67acb504f8e9a2c1ab912732fdbc
• 70b8e06ed43d2187d18ec6993be3154c491d5a52
• c2ed7cc93089a85fe2ea2e79c5c8cd2b1b55c622
• ed65749a593de5c987b4b920bd59321b236d87ae
• c78cac5bcb168d2ef5c2e55cfd68241b2e72fd38
• ffc928446e0444bd00c3fc52f856e674c1eb1a28
• 8ae1af247d889f1b9d3aa0a24bc5ba121410fafb
• a001b8981f2b454c685ff41e0b6c56b712bd1c7c
• 4fc9647059fbb2ceef6e248093e25a23ccbb4dc3
• ac5af91bf78bcb0863b17571ce5f6fc31d59cea0

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure that all operating systems, software, and applications are regularly updated with the latest security patches.
• Conduct regular security awareness training for users to recognize and avoid phishing emails.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Implement network segmentation to limit lateral movement within the network.
• Implement continuous monitoring of network traffic and endpoint activities to detect any unusual or suspicious behavior.
• Develop and regularly test an incident response plan to ensure a swift and effective response in case of a security incident.
• Implement SIEM solutions to centralize log collection and analysis. This can help in identifying patterns of suspicious behavior and provide timely alerts for potential security incidents.
• Regularly back up critical data and ensure that the backup copies are stored securely.