# IndigoDrop spreads via military-themed lures to deliver Cobalt Strike **blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html** By Asheer Malhotra. Cisco Talos has observed a malware campaign that utilizes military-themed malicious Microsoft Office documents (maldocs) to spread Cobalt Strike beacons containing full-fledged RAT capabilities. These maldocs use malicious macros to deliver a multistage and highly modular infection. This campaign appears to target military and government organizations in South Asia. Network-based detection, although important, should be combined with endpoint protections to combat this threat and provide multiple layers of security. ## What's new? ----- Cisco Talos has recently discovered a new campaign distributing a multistage attack used to infect target endpoints with customized Cobalt Strike beacons. Due to the theme of the malicious documents (maldocs) employed, it is highly likely that military and government organizations in South Asia were targeted by this attack. ## How did it work? The attack consists of a highly modular dropper executable we're calling "IndigoDrop" dropped to a victim's endpoint using maldocs. IndigoDrop is responsible for obtaining the final payload from a download URL for deployment. The final payloads currently observed by Talos are Cobalt Strike beacons. In this post, we illustrate the core technical capabilities of the maldocs, IndigoDrop and the Cobalt strike beacons components including: The maldocs-based infection chain. IndigoDrop's functionality. Communication mechanisms and infrastructure used to download infection artifacts. Detailed configurations of the Cobalt Strike beacons. ## So what? This attack demonstrates how the adversary operates a targeted attack that: Uses legitimate-looking lures to trick the target into infecting themselves. Employs a highly modular infection chain (implemented in the IndigoDrop) to instrument the final payload. Uses an existing offensive framework (Cobalt Strike) to establish control and persist in the target's network without having to develop a bespoke remote access trojan (RAT). Analysis of recently discovered attack-chain variations provides insights into the evolution of this threat. These evolutions indicate the changes in tactics and techniques of the attackers used to continue attacks while trying to bypass detections. This campaign also shows us that while network-based detection is important, it should be complemented with system behavior analysis and endpoint protections for additional layers of security. ## Analysis of maldocs This attack uses two techniques to deliver malicious macros to be executed on the target's endpoint: Malicious macros already embedded, ready to execute. [Malicious macro downloaded as part of an externally linked template that is then injected into the original lure maldoc.](https://blog.talosintelligence.com/2017/07/template-injection.html) **Maldoc lures** This attack consisted of maldocs masquerading as internal government or military documents. For example, some of the maldocs discovered by Talos masquerade as Indian Air Publications (IAP) documents dictating safeguard procedures for the IT infrastructure of the Indian Air Force (IAF). These documents are aptly named: IAP3903.doc - Contains embedded malicious macro. IAP39031.docx - Uses template injection. Sample content of the maldoc lures: ----- **Fake document or weaponized copy?** Many targeted attacks employing maldocs observed by Talos usually consist of utmost a couple of pages of decoy content to make them look legitimate. The documents used in this attack, however, contain legitimate content (~64 pages, ~15k words), making them seem even more ----- bonafide. Talos also found a benign copy of one of the maldocs indicating that it is highly likely that the attackers weaponized and distributed it to targets (Benign copy hash: 0d16b15972d3d0f8a1481db4e2413a2c519e8ac49cd2bf3fca02cfa3ff0be532). **Malicious VBA Analysis** This section consists of an analysis of malicious macros used to carry out the attacks using: Locally embedded malicious macros and Malicious macros embedded in the injected templates downloaded from a remote location. The malicious macros carry out the following malicious activities: 1. Parse a Windows executable's hardcoded bytes into bytes that can be written to a file on disk. 2. The parsed bytes are written to an EXE file in the currently logged in user's Startup directory: E.g. %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anything.exe 3. Once the malicious EXE (second-stage payload — IndigoDrop ) has been written to the user's Startup directory the macro quits execution without executing the actual second-stage payload. 4. The attack relies on the user either logging in again or restarting the system to activate the second-stage payload on the infected endpoint. 5. The second-stage payload in this attack is a custom dropper (IndigoDrop) that carries out a variety of tasks. Malicious macro code: **Maldoc distribution** One of the maldocs disclosed here was referred to by a Bit.ly-shortened URL (created Jan. 23, 2020) — hxxp://bit[.]ly/iaf-guidelines — which redirects to hxxp://tecbeck[.]com/IAP39031[.]docx. It is highly likely that the attackers hosted the maldocs on a public server and distributed the direct or Bit.ly links to the targets in the form of spear-phishing emails. This may be done to bypass detection systems that scan email attachments for malware. ## Stage 2: Dropper binary — IndigoDrop The second-stage binary dropped to disk by the maldocs is a malicious dropper/loader we're calling "IndigoDrop" designed to download and activate a customized Cobalt Strike beacon (final payload DLL) from another remote location. Before we delve into a detailed analysis, some of the key operational features of IndigoDrop are: Highly modular in nature: IndigoDrop usually consists of three hardcoded locations that can be used to download and activate the next payload. ----- In this attack, IndigoDrop utilizes both attacker operated remote locations and public data hosting platforms such as pastebin[.]com to host the next stage payloads.It is highly likely that this dropper may download the final payload from these remote locations (likely done in other variants of the attack). However this instance of the attack downloads a Metasploit shellcode from the hardcoded remote locations. We will refer to this Metasploit shellcode as Stage 2A in this post (detailed later-on).The Metasploit shellcode (Stage 2A) is hosted in the form of a Base64 encoded string on the download locations. This shellcode is base64 decoded, unhexlified and executed on the endpoint as part of IndigoDrop's execution. Base64-encoded Metasploit shellcode: Base64-decoded Metasploit shellcode: **IndigoDrop analysis** This dropper performs the following actions on the endpoint: Establish persistence using the registry Run key for itself in location: HKCU\Software\Microsoft\Windows\CurrentVersion\Run | iexplorer = cmd /c /onboot -hide E.g. Download and execute the Stage 2A Metasploit shellcode. Anti-Infection Checks: Check the current Username, Computername, parent folder name, MAC addresses, Public IP addresses against a list of blocked values. If any of the values match, IndigoDrop quits (Blocked values listed in the IOC section). ## Stage 2A: Metasploit (MSF) downloader shellcode The Metasploit shellcode is a modified reverse HTTP stager meant to download a malicious file from the specified download location. This shellcode (stage 2A) is usually hosted on a public hosting site such as pastebin[.]com. The malicious file downloaded is usually a copy of a trojanized jquery[.]min.js file. The malicious jQuery file consists of: Legitimate JavaScript (JS) code at the top and end of the file. At a specific offset in the file is yet another shellcode (referred to as Stage 3A). ----- The Metasploit HTTP stager carries out the following actions in sequence: 1. Connect to the malicious attacker-controlled IP address. 2. Download the malicious jquery-3.3.0.min[.]js file to an executable memory location. 3. Jump to the malicious shellcode embedded in the jquery file and start executing Stage 3A. Malicious jquery file: Stage 2A Metasploit shellcode downloading the jQuery file to executable memory and jumping to the specified offset: ## Stage 3A: Decoder shellcode The malicious jQuery file contains the decoder shellcode (Stage 3A) and the final Cobalt Strike beacon DLL. The beacon DLL is, however, XOR-encoded. It is the responsibility of the decoder shellcode to decode and activate this final payload in the dropper process' memory. Decoder shellcode decoding the final RAT payload: ----- ## Stage 3B: Cobalt Strike beacon The final RAT payload is actually a Cobalt Strike beacon. Once the beacon DLL has been decoded, the decoder shellcode (Stage 3A) jumps to the beginning of the MZ in memory instead of going to the DllEntryPoint. This is done to calculate and jump to the address to the loader routine (usually also an exported subroutine) that will carry out reflective-DLL-loading of the Cobalt Strike beacon DLL in the dropper process' memory. Code beginning at the beacon's base image calculating and jump to address of the reflective loader (via call ebx): After the loader routine has completed setting up the DLL in memory (re-building Imports, base relocations, etc.) it will then jump to the DllEntryPoint (or DllMain) of the beacon to activate the final and most important stage of the infection — the actual RAT components of the beacon. **Configurations used** [Cobalt Strike beacons use configurations specified via ".profile" files in the framework. These configurations describe various characteristics](https://www.cobaltstrike.com/help-malleable-c2) of the malicious payload (beacon binary) including: C2 configuration Communication protocols Process injection techniques, etc. The profiles used in this attack by the beacon binaries attempt to mimic a legitimate jquery request. The most common configurations used in this attack were: Beacon type = HTTP CnC URL resource location = /jquery-3.3.1.min.js HTTP Post location = /jquery-3.3.2.min.js User Agent = Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36 ----- HTTP Get Metadata Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Host: code.jquery.com Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate __cfduid= Cookie HTTP Post Metadata = Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Host: code.jquery.com Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate __cfduid Idle DNS IP = 74[.]125.196.113 (google[.]com) Spawn processes = %windir%\syswow64\dllhost.exe %windir%\sysnative\dllhost.exe Process injection configuration = ntdll:RtlUserThreadStart CreateThread NtQueueApcThread-s CreateRemoteThread RtlCreateUserThread **Capabilities** The Cobalt Strike beacons used in this attack support a wide variety of capabilities (also known as commands) including: Execution of arbitrary code in target processes via injection. Execution of arbitrary commands on the infected endpoint. Download and upload files. Impersonate users. Enumerate, copy, delete, timestomp files. Modify, query the Windows registry. Use of malleable jquery CnC profiles to impersonate legitimate traffic. The overall infection chain is illustrated as follows: ----- ## Pastebin usage: This attack utilizes pastebin[.]com extensively to host the Metasploit downloader shellcode (Stage 2A). The shellcode hosted on pastebin is either created through a guest account or owned by five registered accounts, specifically: hxxps://pastebin[.]com/u/r_ajeevshikra hxxps://pastebin[.]com/u/ra_jeevshikra hxxps://pastebin[.]com/u/raj_eevshikra hxxps://pastebin[.]com/u/raje_evshikra hxxps://pastebin[.]com/u/rajeev_shikra Pastebin account operated by the attacker: The base64-encoded Metasploit downloader shellcode (Stage 2A) hosted on Pastebin. ----- ## Python components Talos also found Python-based modules related to this threat (pyinstaller EXEs). These modules may have been used in a different campaign or deployed by the Cobalt Strike beacons as part of this attack. Two python modules discovered served the following purposes: Gather initial system information and send it to the C2 server. Extract credentials from the infected system and print to console. Sysinfo gathering capabilities of the Python modules: Credentials stolen from the endpoint by the other python module were from: Google Chrome Microsoft Edge Opera ----- Mozilla Firefox WiFi credentials Credential-stealing module of the attack (snip): ## Evolution of attacks Talos discovered multiple variants of the attack instrumenting the Metasploit shellcode and ultimately activating the final payload (Cobalt Strike beacons). This section shows the evolution of the attack and the introduction/modification of its features at different stages of the engineering process. **Apr 2018: No droppers** ----- This is the earliest discovered variant of the attack. The threat also begins with a maldoc containing a malicious macro. The payload dropped to disk is a ".crt" file. This file is decoded by the malicious macro using 'certutil' to obtain the next stage payload binary (EXE) which is then executed on the target endpoint. The payload activated by the macro is not a dropper. This early variant of the attack does not utilize an intermediate dropper to download and activate the final beacon on the endpoint. Instead, the binary decoded and executed on the endpoint by the malicious macro is just an SMB-based Cobalt Strike beacon. This SMB beacon continues to appear in maldocs created as late as September 2019. **May 2019: Cobalt Strike Macros** Around May 2019, the attackers tested the use of VBA macro based stagers generated by Cobalt Strike. This attack-chain consists of a maldoc with an embedded macro. The macro consists of code that can inject the hardcoded MSF downloader shellcode (Stage 2A) into a benign 32-bit process. The macro code used to inject shellcode into rundll32.exe contacts the local team server 192[.]168.146.137/eKYS for infection tests: **Sept 2019: Test samples and embedded MSF shellcode** The attackers started experimenting with and testing custom droppers in September 2019 to include a new module — the next stage (Stage 2A) Metasploit downloader shellcode. The Metasploit downloader shellcode was embedded in the test samples and connected to a local IP address to download the third-stage payloads (Stages 3x). The dropper seen here is the earliest discovered instance of IndigoDrop. Metasploit downloader connecting to a local IP in the dropper: ----- **Sept. 2019: Productionized samples and embedded MSF shellcode** The attackers finalized their attack structure in September 2019 and started distributing copies of IndigoDrop. These droppers were based on earlier test samples (also built in September 2019) and similarly contained embedded MSF downloader shellcode. These droppers now connected to public IPs operated by the attackers to download the third-stage payloads. **September 2019: Python Downloaders; No MSF shellcode** Around the end of September 2019, the attackers started utilizing another infection tactic: The use of Python plus EXE-based downloaders/droppers. These droppers were multi-staged where: The actual dropper was a malicious EXE file. This dropper would extract an embedded DLL and drop it to disk. The dropper then activates the DLL using rundll32.exe. The DLL is responsible for downloading and executing the third-stage payload from an attacker operated server. The DLL does this by executing minimal python code using the python27.dll library. These droppers did not utilize the embedded MSF shellcode like their predecessors. Instead, the shellcode was hosted on an attackercontrolled and operated server. Python code executed by the Python library in the downloader: Decoded base64 Python code: ----- **g** **g** The attackers started using pastebin[.]com to host their MSF downloader shellcode (Stage 2A) in October 2019. The IndigoDrop samples built during this time period now also included the capabilities to persist another component of the infection (usually located at "%userprofile%\AppData\Local\Microsoft\svchost.exe" ) via registry and the Windows Startup folder. IndigoDrop downloading the MSF shellcode from Pastebin: **Late October 2019 - Present: Multiple Pastebins and anti-Infection checks** Having realized the utility of Pastebin, the attackers upgraded their IndigoDrop implementations to use multiple Pastebins to download the MSF shellcode. The multiple pastes were meant to be backups of each other if any of them were removed. The attackers used a combination of Pastebins and attacker-operated download servers, as backups if the pastes were removed. These IndigoDrop instances also introduced the Anti-Infection checks (detailed earlier) to the infection chain. Base64-encoded Pastebin and attacker-downloaded URL in an IndigoDrop sample: The evolution of attacks is illustrated here: ## Conclusion This investigation illustrates an attacker using multiple tools and techniques to implement their full attack chain. A variety of infection artifacts are utilized ranging from bespoke tools (IndigoDrop) to customizable adversarial tools (Cobalt Strike beacons). The attackers also use a combination of public and private servers to host their malicious payloads with a growing trend towards the sole usage of public servers. The use of military-themed maldocs (lures) indicates that government and military organizations in South Asia may be the targets of this threat actor. The maldocs contain bonafide content and are most likely weaponized copies of benign documents known to peek the interests of their targets. ----- The attack variants discovered over time show us that the threat actor can evolve their TTPs in a short period of time. The earliest observable campaigns of this actor date back to April 2018 and continue to operate today along with the most recent evolutions of the attacks. Evidence of rapid ideation, testing and production of new and diversified modules and IndigoDrop iterations indicates highly motivated and agile adversaries. The use of adversarial frameworks like Cobalt Strike suggests that the attackers are looking to expand their malicious arsenal at a significant rate with self-authored and customizable artifacts. Modern-day malware attack chains consist of multiple stages and operational entities. These artifacts and entities may be hosted locally or on remote servers. For example, this attack consists of multiple shellcodes hosted on remote locations downloaded by a local component (IndigoDrop) during runtime to instrument the attack chain. Thus, while network-based detection is important, it should be complemented with system behavior analysis and endpoint protections. ## Coverage Ways our customers can detect and block this threat are listed below. [Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware detailed in this post. Below is a screenshot](https://www.cisco.com/c/en/us/products/security/advanced-malware-protection) showing how AMP can protect customers from this threat. Try AMP for free [here.](https://cisco.com/go/tryamp) [Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects](https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html) malware used in these attacks. [Email Security can block malicious emails sent by threat actors as part of their campaign.](https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html) [Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and](https://www.cisco.com/c/en/us/products/security/firewalls/index.html) Meraki MX can detect malicious activity associated with this threat. [Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.](https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html) [Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off](https://umbrella.cisco.com/) the corporate network. [Additional protections with context to your specific environment and threat data are available from the Firepower Management Center.](https://www.cisco.com/c/en/us/products/security/firepower-management-center/index.html) Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org.](https://www.snort.org/products) Cisco AMP users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click below: [IndigoDrop](https://github.com/Cisco-Talos/osquery_queries/blob/master/win_malware/malware_indigodrop_filepath.yaml) ## Indicators Of Compromise (IOCs) The following IOCs are related to this threat. **Maldoc Hashes** 7a5b645a6ea07f1420758515661051cff71cdb34d2df25de6a62ceb15896a1b6 b11dbaf0dd37dd4079bfdb0c6246e53bc75b25b3a260c380bb92fcaec30ec89b aeb38a11ffc62ead9cdabba1e6aa5fce28502a361725f69586c70e16de70df2c 71c88a59b16dbcf7f061d01ea2015658136a8d4af60beb01caa94eeb74c733cd ab209db9694a3b69427fc5857a8a47d0822db4d8372434fc091dfc3e85510719 ----- 4a6990be2d43f482fe2ab377b5e798da47ba7e02f23dfb6dba26b5011e222d25 7deeb35d7e88b769d286cc7892ee5966a27c39f03c8ac12dec21733faeffa350 **Dropper Hashes** 3bb90869523233cf965cf4a171d255c891c0179afd6d28198aa2af4e934f0055 570ef552b426f8337514ebdcb5935a132e5a8851a7252528c49d6d0d4aba34d9 059606e707a90333528043bdefbc7a55a27205aabed0ccd46c3966c2a53eea4e 1cda23e924ca606593a31ad54973266676c6540487a3baa29992c172d380bbd6 23091a9383704d22468f6e54babd57e64ced344900e5d3d693daf8bf609c997b a2bf84f96f8d616ea248ac8f7bbb9d31b22920be4b3991982be0a88326303470 3cfbf274265860f176d6dbfad4df45a9c6953b71f9f439c87aeac36b38fde5b5 c31afceaef91380c658e4d77a78689cafb0f4179f3b251200e969195cbf4cf7b 1c3f185951b21d35f13b2a999a5d4d6b6db8f4b913e3b198fb2c86d4cd0b7781 852d4c98a786cb2b0fb10b4513163e3934b66e4d95a66de8ddcc6abc066dc61d 78ff0507cac9828fb94595d702cd2c22b8bec7a57c2159b78c924c0d0d5f8ccb e40bdd8ff9e6432008afd54d6d526049ac6bd925dadc2b5a38f78c96df950d1a cc0787025b297ed80e322d30b655d7c84c7c3a0d18c2089b4f545a03214b7557 e2db20377e8cc65c4cf262df15e47fc21b9a9f83fb7931d44b8d28c6b9ffc0f1 a319395e6cf01edb4c6ca879f36a11f4cf33b58657de379123851c63da6a3ef4 bec281baf1312fd059a315d5890ac3c959909047b3473103b069e5ca2ba2fdd1 e9b00f6f47eb70b35713bf7afd345a197f6d290afb8d2684afd8345edc086b29 c9ee415401566139237b14373f6a7a36013b6af693c729b9a5c21cc40e0ad5c6 f9a344c251dc391c5d12e8011185fe033b5ae902c5a866ccd8d8b49881b17151 3e196c77c006e299f26fb05df15644366433fceed73219e0ba6acef0b881531b 5a1a9a6bfc422bd547536e340725328cb04fd72587d83f7e06682abdeddb69a7 95bb65edc9e8e070680e0c85f72927a2bbb553f96fc1078d85e7df7a02c15165 365af2ddad27701d9d17a069b21dc95d39a2d2c5f78bea655db9123ff05fe086 b9c703dba1977fb34e9f6ac49ccdd0efb752ed010939d54f30f8d91358a9214d 7b0494937fd5a2bedf94999553d37e6049e45b935732a594e833078ed483a5ed d6f62ce9696887693081373b87792fa53617f8412fa8e6b1a7de1a01070a9bae d3f3df7cf1ece2519829ee75d29ca054e8233896b7fe50b41eaafda497ff0498 82155aaf86ba3555d5e809500c67da51e1586a6a97a9755870e22900c8790019 b3650199d6713d669992eebb3c4f05c80a97c470596170b5be16257b73785957 8f1abb122f35e66f20bd345323fb5eb8dbdbde785137c80c1e55fdaf525520bd aa05a822f26a493efb27046f772790cc67cca29cd9f842b7bc6df2b391ce2ff8 59fd696f95182be1a51011caec172c5461ddacd556a43c329d939842cf7e7d7f **Python module EXEs** 3aa06700a22808978744aa83d9e084c358517f60525c89236f142b7aa2ce0bef 85e69341f2fe9b97cf0bc81dc63917e62bb17072bcd20fc6125d241623e68660 3066e859109397180c63797c4b779633569ac0c88b54c7cf73752f7895f39629 4260de850b4003c9d4663afea00ba57ec02761f687dba1117ded0a8b20c6b5bb a657bb83fe62e4b555d20463bf090f3349e55e1560507f2197a42c2c3f152667 ce438b0d30dd1c221e3c7ab99585acb4254deaf68bdfb8fc73eb206d8fd04771 **Cobalt Strike Beacon Hashes** 482858b70888acf67a5c2d30ddee61ca7b57ff856feaad9a2fa2b5d4bc0bbd7d 689f7d3f0def72248c4ff4b30da5022ec808a20e99b139e097c2a0d0ba5bab66 dbb5bba499e0ab07e545055d46acf3f78b5ed35fff83d9c88ce57c6455c02091 e37a0b4145f22ce7f7478918320c019a6014060cb033aafec18a8d130c4c426b 4b0c2f790c7b9c84517648bb36964c859629736dab1fa5466d91bd23f69c9b55 c2d9bbd5163a8e733483bf5d0d4959f053a2307d275b81eb38e69d87f1f5df7e a0cfec815cb74a7671265fd5e0790a2a79c05fe0ef16d2d0c87584049d06658b **Malicious JQuery Files containing the beacons** 1ea22d132c1d478347d7e4e72d79bae29f18df9bec5a3016a5a9971f702a8095 b9efca96d451c0b4028b6081456c1ddd3035ab39e6a60bdd831bcf4a472a31ae b081b818e5fbd5d2741822c9e161e536a8497764fab5ac79143614bbce8308f6 d2fd448a386416fdad0059be1bb61f49e99fc76e7efbd5f5e377dbbf6e7e3599 bdbc9dc2f2812a9808357aafe908e7206c9168bc7fea761dec871926de23eec0 **Maldoc distribution URLs** ----- hxxp://bit[.]ly/iaf guidelines hxxp://tecbeck[.]com/IAP39031[.]docx hxxp://bitly[.]com/38A5BEO **Cobalt Strike beacon CnC URLs** hxxp://134[.]209.196.51/jquery-3.3.1.min.js hxxp://134[.]209.196.51/jquery-3.3.2.min.js hxxp://139[.]59.1.154/ca hxxp://139[.]59.1.154/submit.php hxxp://139[.]59.79.105/jquery-3.3.1.min.js hxxp://139[.]59.79.105/jquery-3.3.2.min.js hxxp://188[.]166.14.73/jquery-3.3.1.min.js hxxp://188[.]166.14.73/jquery-3.3.2.min.js **IP Addresses** 134[.]209.196.51 134[.]209.200.91 139[.]59.1.154 139[.]59.79.105 139[.]59.81.167 157[.]245.78.153 165[.]22.201.190 178[.]62.210.85 188[.]166.14.73 188[.]166.25.156 202[.]59.79.131 **MSF shellcode URLs** hxxp://139[.]59.1.154:8201/cmelkmkl.txt hxxp://157[.]245.78.153/11.txt hxxp://157[.]245.78.153/12.txt hxxp://157[.]245.78.153/21.txt hxxp://157[.]245.78.153/22.txt hxxp://157[.]245.78.153/31.txt hxxp://157[.]245.78.153/32.txt hxxp://157[.]245.78.153/41.txt hxxp://157[.]245.78.153/42.txt hxxp://157[.]245.78.153/51.txt hxxp://157[.]245.78.153/52.txt hxxp://202[.]59.79.131/7XyT hxxp://202[.]59.79.131/o2Q7NGUwpFfDzcLMnkuMyAy-IGt8KERPl-6lrRhxcbPJkZwAr33 hxxp://202[.]59.79.131:8080/8g-QvDrvM4hSI0c3D6iC8Aib6wZbs **jQuery/Decoder shellcode URLs** hxxp://134[.]209.196.51/jquery-3.3.0.min.js hxxp://134[.]209.200.91/jquery-3.3.0.min.js hxxp://139[.]59.1.154/ToKN hxxp://139[.]59.79.105/jquery-3.3.0.min.js hxxp://139[.]59.81.167/jquery-3.3.0.min.js hxxp://165[.]22.201.190/jquery-3.3.0.min.js hxxp://188[.]166.14.73/jquery-3.3.0.min.js hxxp://188[.]166.25.156/jquery-3.3.0.min.js hxxp://202[.]59.79.131/YZn_pcfLiUILewp6Vuku9gvUqfMFnPLBP5Aju9QS709n4zRAd-3e4IuPF5kv0uhXSAiJqurq5yPJB9zSZ5rHig07RcWcQPIPD04YZhq1JCGWwYIAfFFHI0qj4LRDhsuaBdQEihGmxzZ8obxUbv5RUfaxm7XwOkWJK8D9xK5gibPGGBiNs41hYB0Kar325FCcCJAIFIzWOw9WLOt6EfrWaEO69aHp **MSF shellcode Pastebin URLs** hxxps://pastebin[.]com/raw/zT57Pkzj hxxps://pastebin[.]com/raw/kf3y5uzt hxxps://pastebin[.]com/raw/ftfSHyPz hxxps://pastebin[.]com/raw/hAKzruWe hxxps://hastebin[ ]com/raw/ufaxamogav ----- hxxps://pastebin[.]com/raw/KzmUrrnB hxxps://pastebin[.]com/raw/aMfFtqjq hxxps://pastebin[.]com/raw/Q6bMcduX hxxps://pastebin[.]com/raw/7VmV7jXA hxxps://pastebin[.]com/raw/8E8YCryu hxxps://pastebin[.]com/raw/1tKX0v5U hxxps://pastebin[.]com/raw/kpn2k1jc hxxps://pastebin[.]com/raw/xiV89Xa9 hxxps://pastebin[.]com/raw/ZMTjGJUn hxxps://pastebin[.]com/raw/CRuQvJk1 hxxps://pastebin[.]com/raw/zbL0w8sm hxxps://pastebin[.]com/raw/yP7eQKsv hxxps://pastebin[.]com/raw/1Q7jYDmz hxxps://pastebin[.]com/raw/vc8TUZPN hxxps://pastebin[.]com/raw/R0HzuGWE hxxps://pastebin[.]com/raw/ehQyY1YX hxxps://pastebin[.]com/raw/LRztjgkq hxxps://pastebin[.]com/raw/QyDZhfer hxxps://pastebin[.]com/raw/MQUG0Q07 hxxps://pastebin[.]com/raw/LtVteHbz hxxps://pastebin[.]com/raw/k2PQZqzF hxxps://pastebin[.]com/raw/azzHZ11B hxxps://pastebin[.]com/raw/4u1ScSn7 hxxps://pastebin[.]com/raw/5tSnVWcn hxxps://pastebin[.]com/raw/a0kPq7bq hxxps://pastebin[.]com/raw/cK8nhTYw hxxps://pastebin[.]com/raw/p34D4vbL hxxps://pastebin[.]com/raw/YVvG43bi hxxps://pastebin[.]com/raw/iyKjw7jR hxxps://pastebin[.]com/raw/0hAzfmrR hxxps://pastebin[.]com/raw/aGSg1f3Y hxxps://pastebin[.]com/raw/i5JkU138 hxxps://pastebin[.]com/raw/LQjs18Cy hxxps://pastebin[.]com/raw/rHeWv7t0 hxxps://pastebin[.]com/raw/bqL6CSp3 hxxps://pastebin[.]com/raw/WJFvRHXv ## IndigoDrop's anti-infection checks **Usernames blocked** admin 8a3YwFo8xYlc iBqxaDRj5T dPNNfpR fnIcszErnay y9NzUJ 0sNBuzz63Nl8 ZJsji0QShXfiM 3ALPeOppOKOEk C4EZdigYE64r 0M7vKY 6oVAnp A0T6Z0j1NFrrQ Johnson Olivia Vh2ij 5Li9Ls yMBCh9wwy FWpuxsyMQZZNW Admin Lisa QYbRCr TyLbns ----- H0USlDC58dVLE RmJCA Administrator_ **Computer names blocked** user-pc 8a3YwFo8xYlc-PC iBqxaDRj5T-PC dPNNfpR-PC fnIcszErnay-PC y9NzUJ-PC 0sNBuzz63Nl8-PC AVN671124898447 GXKKQO724201067 art-PC C4EZdigYE64r-PC 0M7vKY-PC 6oVAnp-PC TFT153265618011 AXWF10479288957 Johnson-PC Desktop-HRW10 Vh2ij-PC 5Li9Ls-PC yMBCh9wwy-PC PGHFTIGN5920348 CPCTBGSA2018901 ADMINIS-HJ9SRP3 Lisa-PC QYbRCr-PC TyLbns-PC SESW54921970303 RmJCA-PC **Immediate parent folder names blocked** Downloads mydownload Desktop system32 Temp **MAC addresses blocked** 00[:]07:e9:e4:ce:4d 60[:]02:92:e5:2f:30 60[:]02:92:77:fc:94 52[:]54:00:12:34:56 08[:]00:27:55:12:e3 60[:]02:92:89:76:36 00[:]00:00:00:00:00:00:e0 **IP Addresses blocked** 51[.]68.93.185 79[.]104.209.156 89[.]208.29.214 95[.]25.130.162 51[.]15.76.60 62[.]102.148.68 207[.]102.138.40 51[.]83.15.56 109[.]70.100.24 109[.]70.100.29 128[.]90.148.185 ----- 78[.]142.19.43 46[.]165.254.166 221[.]191.21.11 153[.]201.39.205 92[.]211.106.185 51[.]68.91.152 89[.]208.29.215 185[.]220.101.35 95[.]26.100.11 -----