Posted on Leave a comment

Researchers Identified a Spear-phishing Campaign Targeting the Afghan Government.

Checkpoint researchers had uncovered a on-going spear-phishing campaign which is targeting the Afghan government. Researchers also revealed that the threat actor suspected for this espionage is an APT group named “IndigoZebra”.

Upon further investigation, it was also identified that this campaign was long running one from 2014 and it targets countries in Central Asia like Kyrgyzstan and Uzbekistan.

Researchers mentioned that their investigation started with the emails sent from Administrative Office of the President in Afghanistan to  Afghanistan National Security Council (NSC) employees, which asks the recipients to review the modifications in the documents for the upcoming event of NSC.

Source: Checkpoint.

“The email contains a password-protected RAR archive named NSC Press conference.rar. Extracting the archive with the password provided in the email requires user interaction and therefore provides a challenge for some sandbox security solutions.”

Source: Checkpoint

The extracted file, NSC Press conference.exe, acts as a dropper. The content of the lure email suggests that the attached file is the document, hence, to reduce the suspicion of the victim running the executable, the attackers use the simple trick – the first document on the victim’s desktop is opened for the user upon the dropper execution.” reads the blog post.

After the Post-Infection phase , the threat actors starts executing various reconnaissance commands on the compromised machine along with the below actions.

  • Download and execution of ntbscan (SHA-1: 90da10004c8f6fafdaa2cf18922670a745564f45) – NetBIOS scanner tool widely used by multiple APT actor including the prolific Chinese group APT10
  • Execution of Windows built-in networking utility tools
  • Access to the victim’s files, especially documents located on the Desktop

Indicators of Compromise:

BoxCaon

b9973b6f9f15e6b20ba1c923540a3c9b
974201f7895967bff0b018b95d5f5f4b

xCaon

3ecfc67294923acdf6bd018a73f6c590
35caae29c47dfb570773f6d5fd37e625
3562bf97997c54d74f58d4c1ad84fcea
c00f6268075e3af85176bf0b00c66c13
85ea346e74c120c83db7a89531f9d9a1
5a8783783472be67c09926cc139d5b27
b3d11e570da4a66f4b8520bc6107283b
fdcae752f64245c159ab0f4d585c5bf8
bb521918d08a4480699e673554d7072c
c5406e7e161c758e863eb63001861bb1
4d6e93d2416898ea3a4f419aa3a438e3
6dfd06f91060e421320b6ebd63c957f0
0b10ac9bf6d2d31cbce06b09f9b0ae75
b831a48e96e2f033d09d7ad5edd1dc67
a875112c66da104c35d0eb43385d7094
1a28c673b2b481ba53e31f77a27669e7
ef3383809fdf5a895b42e02bf06f5aa3
aa107be86814d9c86911a2a7874d38a0
45d8cfe3450562564a1eb00a1aa0db83
cdd7bfa36c6e47730fad94113aba7070
06d72a4d99fcd76a3502432657f3c999
5a91ccabd2b12ac56ba5170cf9ff8343
33f42e9678ee91369d11ef344bbd5a0d
84575619a690d3ef1209b7e3a7e79935
16e61624827d7785740b17c771a052e6
ccc7f88b72c286fd756e76309022e9f8
e98031cf43bfed73db0bce43918a608c
5ea42089cf91464b9c0c42292c18ba4c
cff6d9f5d214e3366d6b4ae31c413adc
 

PoisonIvy


c74711de8aa68e7d97f501eda328d032



Domains & URL

infodocs[.]kginfocom[.]com

infodocs[.]kginfocom[.]com/gin/kw.asp

infodocs[.]kginfocom[.]com/gin/tab.asp

ousync[.]kginfocom[.]com

ousync[.]kginfocom[.]com/sync/kw.asp

uslugi[.]mahallafond[.]com

uslugi[.]mahallafond[.]com/hall/kw.asp

6z98os[.]id597[.]link

6z98os[.]id597[.]link/css/art.asp

hwyigd[.]laccessal[.]org

hwyigd[.]laccessal[.]org/news/art.asp

 


hwyigd[.]laccessal[.]org/news/js.asp

help[.]2019mfa[.]com

help[.]2019mfa[.]com/help/art.asp

m[.]usascd[.]com

m[.]usascd[.]com/uss/word.asp

ns01-mfa[.]ungov[.]org

ns01-mfa[.]ungov[.]org/un/art.asp

dcc[.]ungov[.]org

dcc[.]ungov[.]org/crss/art.asp

index[.]google-upgrade[.]com

index[.]google-upgrade[.]com/upgrade/art.asp

mofa[.]ungov[.]org

mofa[.]ungov[.]org/momo/art.asp

update[.]ictdp[.]com

update[.]ictdp[.]com/new/art.asp

post[.]mfa-uz[.]com

post[.]mfa-uz[.]com/post/art.asp

cdn[.]muincxoil[.]com

cdn[.]muincxoil[.]com/cdn/js.asp

 

cdn[.]muincxoil[.]com/cdn/art.asp

tm[.]2019mfa[.]com

tm[.]2019mfa[.]com/css/p_d.asp

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply