1. Home
  2. Groups
  3. IndigoZebra

IndigoZebra

IndigoZebra is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014.[1][2][3]

ID: G0136
Contributors: Pooja Natarajan, NEC Corporation India; Yoshihiro Kori, NEC Corporation; Manikantan Srinivasan, NEC Corporation India
Version: 1.0
Created: 24 September 2021
Last Modified: 16 October 2021
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

IndigoZebra has established domains, some of which were designed to look like official government domains, for their operations.[2]
.006 Acquire Infrastructure: Web Services

IndigoZebra created Dropbox accounts for their operations.[1][2]
Enterprise T1586 .002 Compromise Accounts: Email Accounts

IndigoZebra has compromised legitimate email accounts to use in their spearphishing operations.[2]
Enterprise T1105 Ingress Tool Transfer

IndigoZebra has downloaded additional files and tools from its C2 server.[2]
Enterprise T1588 .002 Obtain Capabilities: Tool

IndigoZebra has acquired open source tools such as NBTscan and Meterpreter for their operations.[2][3]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

IndigoZebra sent spearphishing emails containing malicious password-protected RAR attachments.[1][2]
Enterprise T1204 .002 User Execution: Malicious File

IndigoZebra sent spearphishing emails containing malicious attachments that urged recipients to review modifications in the file which would trigger the attack.[1]

Software

ID Name References Techniques
S0651 BoxCaon [2] Boot or Logon Autostart Execution, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Data Staged: Local Data Staging, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Cloud Storage, File and Directory Discovery, Ingress Tool Transfer, Native API, Obfuscated Files or Information, System Network Configuration Discovery, Web Service: Bidirectional Communication
S0012 PoisonIvy [3] Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Active Setup, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Rootkit
S0653 xCaon [2] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Data from Local System, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Native API, Software Discovery: Security Software Discovery, System Network Configuration Discovery

References

  1. Lakshmanan, R.. (2021, July 1). IndigoZebra APT Hacking Campaign Targets the Afghan Government. Retrieved September 24, 2021.
  2. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  1. Kaspersky Lab's Global Research & Analysis Team. (2017, August 8). APT Trends report Q2 2017. Retrieved February 15, 2018.