According to the latest Check Point report, suspected Chinese threat actor IndigoZebra APT is actively targeting government agencies in Afghanistan along with other Central Asian countries like Kyrgyzstan, and Uzbekistan.
Malicious IndigoZebra APT:
IndigoZebra APT is a Chinese state-sponsored threat group that has reportedly hacked the Afghan National Security Council in a coordinated spear-phishing campaign.
In a peculiar case when the Afghan National Security Council (NSC) was targeted, the attack was primarily deployed by sending a malicious email containing an attachment of a document meant to be reviewed, impersonating the Office of the President of Afghanistan.
The attack on Afghanistan NSC:
Upon further investigating the malicious email, it was found that the attached document claimed to be a report related to an upcoming press conference when in actuality, was an archive file containing malware. It was disguised as a password-protected RAR archive named ‘NSC Press conference.rar’.
Once the document was opened and accessed, it acted as a backdoor dropper. To further mask its malicious operations, the malware also opened the first document existing on the victim’s systems so as to prove itself to be an authentic fule.
“The detection of cyber espionage continues to be a top priority for us. This time, we’ve detected an ongoing spear-phishing campaign targeting the Afghan government. We have grounds to believe that Uzbekistan and Kyrgyzstan have also been victims. We’ve attributed our findings to a Chinese-speaking threat actor,” states Check Point’s threat intelligence head Lotem Finkelsteen.
“What is remarkable here is how the threat actors utilized the tactic of ministry-to-ministry deception. This tactic is vicious and effective in making anyone do anything for you. In this case, the malicious activity was seen at the highest levels of sovereignty,” notes Finkelstein.
The backdoor then called back to a preconfigured, and unique to every victim, folder controlled by the attackers and hosted on the Dropbox cloud storage service, which served as the address from which it pulled further commands and stored the exfiltrated information – effectively exploiting Dropbox as a command and control center. When IndigoZebra APT required to send a file or command to the victim’s system, they laced them in the folder named ‘d’ in the victim’s Dropbox folder, to be retrieved and downloaded by the malware.
Check Point’s provides that IndigoZebra APT was able to execute a number of tasks in the compromised NSC systems, which comprised of downloading and executing a scanning tool known to be extensively used by numerous APTs, the execution of the Windowss’ built-in network utility tools as well as accessing and stealing the compromised system’s files.
Check Point research was also able to detect variants of the IndigoZebra APTtargeting political agencies in at least two other Central Asian nations which were Uzbekistan and Kyrgyzstan, apart from their Afghanistan campaign.
The IndigoZebra group has been known to the cyber security community for some time, and its campaign is thought to date back several years, possibly as far as 2014, noted Check Point Research.