Chinese-speaking cyberespionage actors have targeted the Afghan government, using Dropbox for command-and-control (C2) communications and going so far as to impersonate the Office of the President to infiltrate the Afghan National Security Council (NSC), researchers have found.
According to a report published by Check Point Research (CPR) on Thursday, this is just the latest in a long-running operation that goes back as far as 2014, when the same threat actors also targeted the Central-Asian countries of Kyrgyzstan and Uzbekistan.
The suspected advanced persistent threat (APT) group has been dubbed IndigoZebra. Kapsersky researchers, for their part, included the APT among the list of Chinese-speaking actors listed in its APT Trends report for the second quarter of 2017.
At the time, Kaspersky said that the IndigoZebra campaign was targeting former Soviet Republics with “a wide swath of malware including Meterpreter, Poison Ivy, xDown, and a previously unknown malware called ‘xCaon’.” According to Kaspersky’s 2017 report, the campaign shared ties with other well-known Chinese-speaking actors, though no definitive attribution was made at the time.
According to CPR, Thursday’s report is the first time that a fuller set of technical details relating to the operation have been publicly disclosed. Its report includes analysis of the xCaon backdoor, as well as the latest version, which CPR has christened BoxCaon and which uses the Dropbox cloud-storage service as a C2 server.
‘From the Office of the President of Afghanistan’
As so many do, the IndigoZebra campaign starts with boobytrapped emails. CPR kicked off its investigation in April, when an official at the Afghanistan National Security Council (NSC) received an email allegedly from the Administrative Office of the President of Afghanistan. The email urged the recipient to review the modifications in the document related to an upcoming press conference of the NSC.
Even though the APT is thought to be Chinese-speaking, and even though the target is the government of Afghanistan, where the official language is a Persian dialect called Dari, the email was written in English, as the above screen capture shows. CPR told Threatpost that this probably has to do with the fact that the topic of the lure email was related to a press conference.
The email has a poisoned attachment: a password-protected RAR archive named NSC Press Conference.rar. Once a targeted user clicks on the archive, the extracted file, NSC Press conference.exe, acts as a dropper.
To lull the victim who’s running the executable into thinking that yes, they are in fact opening a press conference-related document, the attackers used what researchers called a “simple trick”: they set up the executable so that it opens the first document on a victim’s desktop when the user executes the dropper. Regardless of whether the dropper found a document to open, it goes ahead and drops and executes the backdoor to C:\users\public\spools.exe.
Dropboxed in With the BoxCaon Dropper
The backdoor communicates with a preconfigured, unique-to-every-victim Dropbox folder in an attacker-controlled account. That serves as the address where the backdoor pulls further commands and stores the information it steals.
Using the legitimate Dropbox API helps to mask the malicious traffic in the target’s network, researchers said, given that there are no communications with oddball websites showing up.
“When the attackers need to send a file or command to the victim machine, they place them [in] the folder named “d” in the victim’s Dropbox folder,” according to the report. “The malware retrieves this folder and downloads all its contents to the working folder. Finally, if the file named ‘c.txt’ – that contains the attacker command, exists in this working folder, the backdoor executes it using the ComSpec environment variable, which normally points to the command line interpreter (like cmd.exe), and uploads the results back to the Dropbox drive while deleting the command from the server.”
The backdoor establishes persistence by setting a registry key designed to run anytime a user logs on.
The researchers found close to 30 samples of the xCaon variant, each with slightly different functionality but all bearing similarities with the spools.exe BoxCaon backdoor. One such similarity was a “very specific” implementation of command execution, they said: “first constructing the ‘ComSpec’ string on stack, using the same path naming convention for the output file, and deleting it right after the execution.”
The earliest samples they found dates back to 2014. Based on similarities in code and functionality, the researchers determined that the BoxCaon backdoor is a variant of the same xCaon family that Kaspersky referenced in its 2017 report – “hence the name,” they said.
The variant they tracked is the only xCaon version that communicates over Dropbox’s API in clear text commands, the researchers said, as opposed to other variants’ use of the HTTP protocol with Base64+XOR encryption to communicate with the attackers’ own C2 servers.
The Dropbox variant (BoxCaon) was spotted targeting officials in the Afghan government, while the HTTP variants were going after political entities in Kyrgyzstan and Uzbekistan.
The malicious actions the threat actors executed:
Ongoing Spearphishing Against the Afghan Government
Lotem Finkelsteen, head of threat Intelligence at Check Point Software, told Threatpost that the detection of cyberespionage is a “top priority” for the company. “This time, we’ve detected an ongoing spear-phishing campaign targeting the Afghan government,” he said via email. “We have grounds to believe that Uzbekistan and Kyrgyzstan have also been victims. We’ve attributed our findings to a Chinese-speaking threat actor.”
He called it “remarkable” that the threat actors used the tactic of ministry-to-ministry deception. Such a tactic is both “vicious and effective,” he said, when it comes to “making anyone do anything for you. In this case, the malicious activity was seen at the highest levels of sovereignty.
Another remarkable aspect is the use of Dropbox to cover up their tracks, he said: a technique that “we should all be aware of, and that we should all watch out for.”
It’s possible that other countries have also been targeted by this APT group, he concluded, “though we don’t know how many or which countries.” In its report, CPR shared a list of other possible domains used in the attack, in the hope that “their names can be leveraged by other cyber researchers for contribution to our own findings.”
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.