Table of Contents
A security researcher has warned of a possible espionage campaign directed against the government of Afghanistan, coordinated by a Chinese-speaking threat actor, which may be as old as 2014.
Researchers at Check Point Research attribute the intrusions to an APT hacking group tracked as “IndigoZebra.”
That group has previously targeted Kyrgyzstan and Uzbekistan as well as other economies throughout Central Asia.
“The threat actors behind the espionage leveraged Dropbox, the popular cloud-storage service, to infiltrate the Afghan National Security Council (NSC), orchestrated a ministry-to-ministry style deception, where an email is sent to a high-profile target from the mailboxes of another high-profile victim.”
The IOZ was first revealed in August 2017 when Kaspersky revealed a covert operation targeting former Soviet republics with malware including Meterpreter, Poison Ivy, xDown, and an undescribed malware called xCaon. The investigation into the attacks by Check Point began in April when officials with the National Security Council began receiving lure emails allegedly sent by the Office of the President of Afghanistan.
The message advises recipients to examine an attached document related to a pending press conference by the NSC. However, opening the attached RAR archive (“NSC Press conference.rar”) results in an infection that installs a backdoor (“spools.exe”) on the targeted system. Also, malicious commands were delivered to the victim machine and disguised using the Dropbox API, while an attacker-controlled Dropbox account was created for each compromised host.
How Boxcaon exfiltrates data
The boxcaon backdoor can steal important data from the device, run arbitrary commands, and exfiltrate the results into your Dropbox folder. In the Dropbox folder of the victim, the malware stores their commands (“c.txt”) in a subfolder named “d,” which is retrieved before they are executed.
A connection between BoxCaon and IndigoZebra can be attributed to the malware’s similarities to xCaon. According to Check Point, it identified about 30 different xCaon samples – the earliest dating back to 2014 – all relying on HTTP protocol for command-and-control communications. As a result of analyzing the telemetry data, the researchers discovered that the HTTP variants primarily targeted political entities located in Kyrgyzstan and Uzbekistan, an indication that targeting and tools have taken a turn in recent years.
Head of threat intelligence at Check Point said:
“What is remarkable here is how the threat actors utilized the tactic of ministry-to-ministry deception. This tactic is vicious and effective in making anyone do anything for you, and in this case, the malicious activity was seen at the highest levels of sovereignty. Furthermore, it’s noteworthy how the threat actors utilize Dropbox to mask themselves from detection.”