Indigo Zebra APT

Governments in Afghanistan, Kyrgyzstan and Uzbekistan all receive state support from Chinese speaking highly persistent threat (APT) group, called Indigo Zebra detailed CPR. The group seems to have infiltrated Afghanistan National Security Council (NSC) Targeted, tuned Spear phishing attack by sending an email with a review document impersonating the President of Afghanistan as a temptation to infiltrate the NSC.

The malicious document allegedly related to future press conferences was an archive file containing malware, disguised as a password protected RAR archive named “NSCPressconference.rar”. When opened, the extracted file named “NSC Pressconference.exe” acted as a backdoor dropper. To reduce suspicion, the malware has deployed sneaky tricks. Email content suggesting that the attachment is a document also opened the first document found on the victim’s desktop.

The backdoor then called back to an attacker-controlled, all-pre-configured, victim-specific folder hosted on the Dropbox cloud storage service. This folder also served as an address to pull commands and store stolen information, effectively exploiting Dropbox as a C2C. If the group needed to send files or commands to the victim’s system, they were strapped to a folder named “d” inside the victim’s Dropbox folder so that they could be retrieved and downloaded by the malware.

Ultimately, the group performed many actions on NSC’s system, including downloading and running scanning tools known to be widely used by multiple APT actors, including China-based APT10. Run Windows Embedded Network Utility Tools. Access and steal the victim’s files.

In addition to the campaign targeting Afghanistan, CPR has discovered variants targeting political groups in two other Central Asian countries: Kyrgyzstan and Uzbekistan. Specific indicators of victimology can be found in the complete technical report. The Indigo Zebra group has long been known to the cybersecurity community, and the campaign is believed to date back several years, perhaps 2014.