IndigoDrop Trojan

IndigoDrop is a modular dropper trojan used in sophisticated campaigns against governmental, financial, and military organisations worldwide. It was first identified in the wild in September 2019, although it is believed to have been used in earlier attacks.

Threat ID:: CC-3514
Category:: Trojan
Threat Severity:: Medium
Threat Vector:
Published:: 25 June 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

Campaigns using IndigoDrop typically begin with delivery of a malicious macro-laden Office document. Some campaigns use externally linked template documents that call out to an attacker-controlled domain to download the macros. When opened, the macros will parse embedded data containing IndigoDrop into an EXE file before writing it to the user's Startup directory. When the user logs back in, the EXE is launched.

Once installed, IndigoDrop will edit the Run registry key to establish persistence before performing a number of anti-infection checks. If these checks pass it then downloads and executes a Metasploit shell code script from a public text storage site. This script acts as a reverse HTTP stager to download a jQuery file from a specific command and control server, where it is then executed by IndigoDrop to decode and install the intended final payload. At the time of publication, IndigoDrop has only been observed delivering trojanised variants of the Cobalt Strike penetration testing tool.

Remediation steps

Type	Step
	To prevent and detect a trojan infection, NHS Digital advises that: Secure configurations are applied to all devices. Security updates are applied at the earliest opportunity. Tamper protection settings in security products are enabled where available. Obsolete platforms are segregated from the rest of the network. IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments. Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts. Administrative accounts are only used for necessary purposes. Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations. Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible. Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Type

Step

To prevent and detect a trojan infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Main indicators

Last edited: 29 June 2021 12:01 pm