- Jul 27, 2015
Cisco Talos has recently discovered a new campaign distributing a multistage attack used to infect target endpoints with customized Cobalt Strike beacons. Due to the theme of the malicious documents (maldocs) employed, it is highly likely that military and government organizations in South Asia were targeted by this attack.
How did it work?
The attack consists of a highly modular dropper executable we're calling "IndigoDrop" dropped to a victim's endpoint using maldocs. IndigoDrop is responsible for obtaining the final payload from a download URL for deployment. The final payloads currently observed by Talos are Cobalt Strike beacons.
In this post, we illustrate the core technical capabilities of the maldocs, IndigoDrop and the Cobalt strike beacons components including:
- The maldocs-based infection chain.
- IndigoDrop's functionality.
- Communication mechanisms and infrastructure used to download infection artifacts.
- Detailed configurations of the Cobalt Strike beacons.
This attack demonstrates how the adversary operates a targeted attack that:
Analysis of recently discovered attack-chain variations provides insights into the evolution of this threat. These evolutions indicate the changes in tactics and techniques of the attackers used to continue attacks while trying to bypass detections. This campaign also shows us that while network-based detection is important, it should be complemented with system behavior analysis and endpoint protections for additional layers of security.
- Uses legitimate-looking lures to trick the target into infecting themselves.
- Employs a highly modular infection chain (implemented in the IndigoDrop) to instrument the final payload.
- Uses an existing offensive framework (Cobalt Strike) to establish control and persist in the target's network without having to develop a bespoke remote access trojan (RAT).