1. Home
  2. Groups
  3. IndigoZebra

IndigoZebra

IndigoZebra is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014.[1][2][3]

ID: G0136
Contributors: Pooja Natarajan, NEC Corporation India; Yoshihiro Kori, NEC Corporation; Manikantan Srinivasan, NEC Corporation India
Version: 1.0
Created: 24 September 2021
Last Modified: 16 October 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1204 .002 用户执行: Malicious File

IndigoZebra sent spearphishing emails containing malicious attachments that urged recipients to review modifications in the file which would trigger the attack.[1]
Enterprise T1583 .001 获取基础设施: Domains

IndigoZebra has established domains, some of which were designed to look like official government domains, for their operations.[2]
.006 获取基础设施: Web Services

IndigoZebra created Dropbox accounts for their operations.[1][2]
Enterprise T1588 .002 获取能力: Tool

IndigoZebra has acquired open source tools such as NBTscan and Meterpreter for their operations.[2][3]

Enterprise T1586 .002 账号妥协: Email Accounts

IndigoZebra has compromised legitimate email accounts to use in their spearphishing operations.[2]
Enterprise T1105 输入工具传输

IndigoZebra has downloaded additional files and tools from its C2 server.[2]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

IndigoZebra sent spearphishing emails containing malicious password-protected RAR attachments.[1][2]

Software

ID Name References Techniques
S0651 BoxCaon [2] 从本地系统获取数据, 启动或登录自动启动执行, 命令与脚本解释器: Windows Command Shell, 数据分段: Local Data Staging, 文件和目录发现, 本机API, 混淆文件或信息, 系统网络配置发现, 网络服务: Bidirectional Communication, 输入工具传输, 通过C2信道渗出, 通过网络服务渗出: Exfiltration to Cloud Storage
S0012 PoisonIvy [3] Rootkit, 从本地系统获取数据, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Active Setup, 命令与脚本解释器: Windows Command Shell, 应用窗口发现, 执行保护: Mutual Exclusion, 数据分段: Local Data Staging, 混淆文件或信息, 输入工具传输, 输入捕获: Keylogging, 进程注入: Dynamic-link Library Injection
S0653 xCaon [2] 从本地系统获取数据, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 启动或登录自动启动执行, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 数据编码: Standard Encoding, 本机API, 系统网络配置发现, 软件发现: Security Software Discovery, 输入工具传输

References

  1. Lakshmanan, R.. (2021, July 1). IndigoZebra APT Hacking Campaign Targets the Afghan Government. Retrieved September 24, 2021.
  2. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  1. Kaspersky Lab's Global Research & Analysis Team. (2017, August 8). APT Trends report Q2 2017. Retrieved February 15, 2018.