IndigoZebra

IndigoZebra is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014.[1][2][3]

ID: G0136
Contributors: Pooja Natarajan, NEC Corporation India; Yoshihiro Kori, NEC Corporation; Manikantan Srinivasan, NEC Corporation India
Version: 1.0
Created: 24 September 2021
Last Modified: 16 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

IndigoZebra has established domains, some of which were designed to look like official government domains, for their operations.[2]

.006 Acquire Infrastructure: Web Services

IndigoZebra created Dropbox accounts for their operations.[1][2]

Enterprise T1586 .002 Compromise Accounts: Email Accounts

IndigoZebra has compromised legitimate email accounts to use in their spearphishing operations.[2]

Enterprise T1105 Ingress Tool Transfer

IndigoZebra has downloaded additional files and tools from its C2 server.[2]

Enterprise T1588 .002 Obtain Capabilities: Tool

IndigoZebra has acquired open source tools such as NBTscan and Meterpreter for their operations.[2][3]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

IndigoZebra sent spearphishing emails containing malicious password-protected RAR attachments.[1][2]

Enterprise T1204 .002 User Execution: Malicious File

IndigoZebra sent spearphishing emails containing malicious attachments that urged recipients to review modifications in the file which would trigger the attack.[1]

Software

ID Name References Techniques
S0651 BoxCaon [2] Boot or Logon Autostart Execution, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Data Staged: Local Data Staging, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Cloud Storage, File and Directory Discovery, Ingress Tool Transfer, Native API, Obfuscated Files or Information, System Network Configuration Discovery, Web Service: Bidirectional Communication
S0012 PoisonIvy [3] Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Active Setup, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Rootkit
S0653 xCaon [2] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Data from Local System, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Native API, Software Discovery: Security Software Discovery, System Network Configuration Discovery

References