Spear-Phishing Campaign Uses Military-Themed DocumentsCisco Talos Researchers Find Hackers Using New Dropper Called IndigoDrop
A spear-phishing campaign is using military-themed malicious Microsoft Office documents to infect devices, according to researchers at Cisco Talos.
The Cisco Talos researchers also found that this campaign is using a previously unknown dropper, which the company calls "IndigoDrop," that's then used to infect devices with a weaponized version of Cobalt Strike, according to a report released Monday.
IndgoDrop is a multistage dropper used to deliver a final payload to an infected device. It's a version of a Cobalt Strike that works as a remote access Trojan or RAT, according to the report. In addition to delivering the payload, IndigoDrop is capable of ensuring persistence within a network and performing anti-infection checks.
It's unclear who the threat actors are behind this campaign, but Cisco Talos researchers note that the spear-phishing attack, which is still active, is mainly targeting military and government organizations in Southeast Asia.
The campaign has been ongoing since at least 2018, with the hackers regularly updating their arsenals until mid-2019. IndigoDrop was added around May 2019 and further developed over the next several months, the report notes.
"The use of adversarial frameworks like Cobalt Strike suggests that the attackers are looking to expand their malicious arsenal at a significant rate with self-authored and customizable artifacts," Asheer Malhotra, a researcher at Cisco Talos, notes in the report.
The Cisco Talos researchers have identified two infection tactics used in this campaign -spreading malware through malicious macros embedded within decoy documents and using external links to download the payload.
To lure targets to open the malicious file, the attackers disguise them as internal government or military documents, the report notes. Some of the malicious documents discovered, for example, were portrayed as "incident action plan" documents dictating safeguard procedures for the IT infrastructure of the Indian Air Force.
If the macros contained in the phishing email are enabled, the malware checks the device and then downloads IndigoDrop, which then works as a second-stage custom dropper, the report says. The dropper consists of three hard-coded locations that are used to download and activate the next payload, which is loaded either from an attacker-held server or the public data hosting platform Pastebin, the report says.
IndigoDrop then downloads a Metasploit shellcode, which establishes connection with the attacker-controlled IP address to load Cobalt Strike, which then acts as a RAT, according to the report. While Cobalt Strike is a legitimate penetration testing product, it is often weaponized by attackers.
In the final stage of infection, the Cobalt Strike RAT performs arbitrary code execution, uploads and download files, impersonate users and legitimate traffic and queries the Windows registry, according to the report. It also connects with a command-and-control server.
Weaponizing Cobalt Strike
Advanced persistent threat groups and other hackers have been increasingly weaponizing Cobalt Strike as part of their attacks campaign to gain persistence in the victims' network. This includes nation-state hackers connected to China, Vietnam and Russia, according to numerous security reports.
In February, researchers at Trend Micro uncovered a newly identified hacking group that used Cobalt Strike in an espionage campaign that targeted gambling companies in Asia, the Middle East and Europe. The group called DRBControl repurposed the penetration testing tool to serve as a backdoor for stealing source code and other data (see: New Hacking Group Targets Gambling Firms: Report ).
In addition to nation-state hackers, ransomware gangs such as Ryuk, REvil, Maze and DoppelPaymer are using Cobalt Strike to collect information from the victims' network, security researchers note (see: Top Ransomware Attack Vectors: RDP, Drive-By, Phishing ).