Malicious doc campaign unleashes Cobalt Strike on gov’t, military orgs in South Asia

A military-themed malware campaign targeting military and government organizations in South Asia unleashes “maldocs” that spread full remote-access trojan (RAT) capabilities.

The multistage chain attack, which began in 2018, infects endpoints with customized beacons and a modular dropper that Talos calls IndigoDrop, which executes the final payloads, Cisco Talos reported in a blog post.

“This attack demonstrates how the adversary operates a targeted attack that uses legitimate-looking lures to trick the target into infecting themselves,” according to the post, which details the malware capabilities and suggestion to guard against such an attack. Campaign components include the usage of both public and private servers, Microsoft Office, credentials stolen from the endpoint by a python module from Google Chrome, Microsoft Edge, Opera, Mozilla Firefox, WiFi credentials and bitly-shortened URLS.

Talos noted the attack’s existing offensive framework (Cobalt Strike) establishes control and persists in the target's network without having to develop a bespoke RAT.

The post didn’t name specific governments, but at one point references a missive to safeguard the IT infrastructure of the Indian Air Force. A sample document cited looked legitimate for its length, 64 pages and 15,000 words.

“Analysis of recently discovered attack-chain variations provides insights into the evolution of this threat,” Talos wrote. “These evolutions indicate the changes in tactics and techniques of the attackers used to continue attacks while trying to bypass detections.”

The earliest variant of the attack that the security firm tracked was in April 2018, and by May 2019 the attackers tested VBA macro-based stagers generated by Cobalt Strike with a code that can inject the MSF downloader shellcode into a benign 32-bit process.

In September 2019, the attackers experimented with and tested custom droppers and a new “Metasploit” module connected to a local IP address to download third-stage payloads. Cobalt Strike’s beacons use configurations specified via “.profile” files, and the attack uses a pastebin[.]com for the Metasploit. The campaign also demonstrates, according to the security firm, that while network-based detection is important, it should be complemented with system behavior analysis and endpoint protections for additional layers of security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.