Attackers Spread Cobalt Strike via IndigoDrop In Government Directed Attacks
Government organizations continue to be a prime target for cybercriminals. In the latest campaign, cybercriminals were seen attacking military and government organizations in South Asia in a targeted attack.
Attackers used legitimate-looking lures to trick the target into infecting themselves. They employed a highly modular infection chain to instrument the final payload, and used an existing offensive framework, containing full-fledged RAT capabilities.
- In June, Cisco Talos researchers reported a campaign carried out a multistage attack by utilizing military-themed malicious Microsoft Office documents (maldocs) to spread customized Cobalt Strike beacons.
- The attack consisted of a highly modular dropper executable called "IndigoDrop" dropped to a victim's endpoint using maldocs. IndigoDrop obtained the final payload (Cobalt Strike beacons) from a download URL for deployment.
- IndigoDrop utilizes both attacker-operated remote locations and public data hosting platforms (Pastebin, Bit.ly, etc.) to host Metasploit downloader shellcode.
Recent Cobalt Strike attacks
Several hacking groups have been misusing Cobalt Strike, a multifunctional penetration testing tool similar to Metasploit, in different infection chains.
- In June 2020, a multi-stage APT attack used Cobalt Strike’s Malleable C2 feature to download the final payload and perform C2 communications.
- In May 2020, malicious actors executed a large number of reconnaissance scripts via Cobalt Strike to collect network, host, filesystem, and domain-related information via spam emails and exploit kits.
- In March 2020, a spam campaign targeted people in Italy with the TrickBot information-stealing malware and launched PowerShell Empire or Cobalt Strike to give the Ryuk Ransomware actors access to the infected computer.
Users should combine network-based detection with endpoint protections to combat such threats and provide multiple layers of security. Organizations should investigate and remediate any known infections and consider them as possible vectors for sophisticated human adversaries.