Skip to content

G0136 IndigoZebra

IndigoZebra is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014.123

Item Value
ID G0136
Associated Names
Version 1.0
Created 24 September 2021
Last Modified 16 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains IndigoZebra has established domains, some of which were designed to look like official government domains, for their operations.2
enterprise T1583.006 Web Services IndigoZebra created Dropbox accounts for their operations.12
enterprise T1586 Compromise Accounts -
enterprise T1586.002 Email Accounts IndigoZebra has compromised legitimate email accounts to use in their spearphishing operations.2
enterprise T1105 Ingress Tool Transfer IndigoZebra has downloaded additional files and tools from its C2 server.2
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool IndigoZebra has acquired open source tools such as NBTscan and Meterpreter for their operations.23
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment IndigoZebra sent spearphishing emails containing malicious password-protected RAR attachments.12
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File IndigoZebra sent spearphishing emails containing malicious attachments that urged recipients to review modifications in the file which would trigger the attack.1

Software

ID Name References Techniques
S0651 BoxCaon - Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Data from Local System Local Data Staging:Data Staged Exfiltration Over C2 Channel Exfiltration to Cloud Storage:Exfiltration Over Web Service File and Directory Discovery Ingress Tool Transfer Native API Obfuscated Files or Information System Network Configuration Discovery Bidirectional Communication:Web Service
S0012 PoisonIvy - Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Active Setup:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data from Local System Local Data Staging:Data Staged Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information Dynamic-link Library Injection:Process Injection Rootkit
S0653 xCaon - Web Protocols:Application Layer Protocol Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Data from Local System Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Native API Security Software Discovery:Software Discovery System Network Configuration Discovery

References

Back to top