Checkpoint researchers had uncovered a on-going spear-phishing campaign which is targeting the Afghan government. Researchers also revealed that the threat actor suspected for this espionage is an APT group named “IndigoZebra”.
Upon further investigation, it was also identified that this campaign was long running one from 2014 and it targets countries in Central Asia like Kyrgyzstan and Uzbekistan.
Researchers mentioned that their investigation started with the emails sent from Administrative Office of the President in Afghanistan to Afghanistan National Security Council (NSC) employees, which asks the recipients to review the modifications in the documents for the upcoming event of NSC.
“The email contains a password-protected RAR archive named
NSC Press conference.rar. Extracting the archive with the password provided in the email requires user interaction and therefore provides a challenge for some sandbox security solutions.”
“The extracted file,
NSC Press conference.exe, acts as a dropper. The content of the lure email suggests that the attached file is the document, hence, to reduce the suspicion of the victim running the executable, the attackers use the simple trick – the first document on the victim’s desktop is opened for the user upon the dropper execution.” reads the blog post.
After the Post-Infection phase , the threat actors starts executing various reconnaissance commands on the compromised machine along with the below actions.
- Download and execution of
90da10004c8f6fafdaa2cf18922670a745564f45) – NetBIOS scanner tool widely used by multiple APT actor including the prolific Chinese group APT10
- Execution of Windows built-in networking utility tools
- Access to the victim’s files, especially documents located on the Desktop
Indicators of Compromise:
b9973b6f9f15e6b20ba1c923540a3c9b 974201f7895967bff0b018b95d5f5f4b xCaon 3ecfc67294923acdf6bd018a73f6c590 35caae29c47dfb570773f6d5fd37e625 3562bf97997c54d74f58d4c1ad84fcea c00f6268075e3af85176bf0b00c66c13 85ea346e74c120c83db7a89531f9d9a1 5a8783783472be67c09926cc139d5b27 b3d11e570da4a66f4b8520bc6107283b fdcae752f64245c159ab0f4d585c5bf8 bb521918d08a4480699e673554d7072c c5406e7e161c758e863eb63001861bb1 4d6e93d2416898ea3a4f419aa3a438e3 6dfd06f91060e421320b6ebd63c957f0 0b10ac9bf6d2d31cbce06b09f9b0ae75 b831a48e96e2f033d09d7ad5edd1dc67 a875112c66da104c35d0eb43385d7094 1a28c673b2b481ba53e31f77a27669e7 ef3383809fdf5a895b42e02bf06f5aa3 aa107be86814d9c86911a2a7874d38a0 45d8cfe3450562564a1eb00a1aa0db83 cdd7bfa36c6e47730fad94113aba7070 06d72a4d99fcd76a3502432657f3c999 5a91ccabd2b12ac56ba5170cf9ff8343 33f42e9678ee91369d11ef344bbd5a0d 84575619a690d3ef1209b7e3a7e79935 16e61624827d7785740b17c771a052e6 ccc7f88b72c286fd756e76309022e9f8 e98031cf43bfed73db0bce43918a608c 5ea42089cf91464b9c0c42292c18ba4c cff6d9f5d214e3366d6b4ae31c413adc PoisonIvy c74711de8aa68e7d97f501eda328d032 Domains & URL infodocs[.]kginfocom[.]com infodocs[.]kginfocom[.]com/gin/kw.asp infodocs[.]kginfocom[.]com/gin/tab.asp ousync[.]kginfocom[.]com ousync[.]kginfocom[.]com/sync/kw.asp uslugi[.]mahallafond[.]com uslugi[.]mahallafond[.]com/hall/kw.asp 6z98os[.]id597[.]link 6z98os[.]id597[.]link/css/art.asp hwyigd[.]laccessal[.]org hwyigd[.]laccessal[.]org/news/art.asp hwyigd[.]laccessal[.]org/news/js.asp help[.]2019mfa[.]com help[.]2019mfa[.]com/help/art.asp m[.]usascd[.]com m[.]usascd[.]com/uss/word.asp ns01-mfa[.]ungov[.]org ns01-mfa[.]ungov[.]org/un/art.asp dcc[.]ungov[.]org dcc[.]ungov[.]org/crss/art.asp index[.]google-upgrade[.]com index[.]google-upgrade[.]com/upgrade/art.asp mofa[.]ungov[.]org mofa[.]ungov[.]org/momo/art.asp update[.]ictdp[.]com update[.]ictdp[.]com/new/art.asp post[.]mfa-uz[.]com post[.]mfa-uz[.]com/post/art.asp cdn[.]muincxoil[.]com cdn[.]muincxoil[.]com/cdn/js.asp cdn[.]muincxoil[.]com/cdn/art.asp tm[.]2019mfa[.]com tm[.]2019mfa[.]com/css/p_d.asp
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1