By Asheer Malhotra.

• Cisco Talos has observed a malware campaign that utilizes military-themed malicious Microsoft Office documents (maldocs) to spread Cobalt Strike beacons containing full-fledged RAT capabilities.
• These maldocs use malicious macros to deliver a multistage and highly modular infection.
• This campaign appears to target military and government organizations in South Asia.
• Network-based detection, although important, should be combined with endpoint protections to combat this threat and provide multiple layers of security.

What’s new?

Cisco Talos has recently discovered a new campaign distributing a multistage attack used to infect target endpoints with customized Cobalt Strike beacons. Due to the theme of the malicious documents (maldocs) employed, it is highly likely that military and government organizations in South Asia were targeted by this attack.

How did it work?

The attack consists of a highly modular dropper executable we’re calling “IndigoDrop” dropped to a victim’s endpoint using maldocs. IndigoDrop is responsible for obtaining the final payload from a download URL for deployment. The final payloads currently observed by Talos are Cobalt Strike beacons.

In this post, we illustrate the core technical capabilities of the maldocs, IndigoDrop and the Cobalt strike beacons components including:

• The maldocs-based infection chain.
• IndigoDrop’s functionality.
• Communication mechanisms and infrastructure used to download infection artifacts.
• Detailed configurations of the Cobalt Strike beacons.
  

So what?

This attack demonstrates how the adversary operates a targeted attack that:

• Uses legitimate-looking lures to trick the target into infecting themselves.
• Employs a highly modular infection chain (implemented in the IndigoDrop) to instrument the final payload.
• Uses an existing offensive framework (Cobalt Strike) to establish control and persist in the target’s network without having to develop a bespoke remote access trojan (RAT).
  

Analysis of recently discovered attack-chain variations provides insights into the evolution of this threat. These evolutions indicate the changes in tactics and techniques of the attackers used to continue attacks while trying to bypass detections. This campaign also shows us that while network-based detection is important, it should be complemented with system behavior analysis and endpoint protections for additional layers of security.

Analysis of maldocs

This attack uses two techniques to deliver malicious macros to be executed on the target’s endpoint:

• Malicious macros already embedded, ready to execute.
• Malicious macro downloaded as part of an externally linked template that is then injected into the original lure maldoc.
  

Maldoc lures

This attack consisted of maldocs masquerading as internal government or military documents. For example, some of the maldocs discovered by Talos masquerade as Incident Action Plan (IAP) documents dictating safeguard procedures for the IT infrastructure of the Indian Air Force (IAF).

These documents are aptly named:

• IAP39003.doc - Contains embedded malicious macro.
• IAP39031.docx - Uses template injection.
  

Sample content of the maldoc lures:

Fake document or weaponized copy?

Many targeted attacks employing maldocs observed by Talos usually consist of utmost a couple of pages of decoy content to make them look legitimate. The documents used in this attack, however, contain legitimate content (~64 pages, ~15k words), making them seem even more bonafide. Talos also found a benign copy of one of the maldocs indicating that it is highly likely that the attackers weaponized and distributed it to targets

(Benign copy hash: 0d16b15972d3d0f8a1481db4e2413a2c519e8ac49cd2bf3fca02cfa3ff0be532).

Malicious VBA Analysis

This section consists of an analysis of malicious macros used to carry out the attacks using:

• Locally embedded malicious macros and
• Malicious macros embedded in the injected templates downloaded from a remote location.
  

The malicious macros carry out the following malicious activities:

1. Parse a Windows executable’s hardcoded bytes into bytes that can be written to a file on disk.
   
2. The parsed bytes are written to an EXE file in the currently logged in user’s Startup directory: E.g.

%userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anything.exe

1. Once the malicious EXE (second-stage payload — IndigoDrop ) has been written to the user’s Startup directory the macro quits execution without executing the actual second-stage payload.
   
2. The attack relies on the user either logging in again or restarting the system to activate the second-stage payload on the infected endpoint.
   
3. The second-stage payload in this attack is a custom dropper (IndigoDrop) that carries out a variety of tasks.
   

Malicious macro code:

Maldoc distribution

One of the maldocs disclosed here was referred to by a Bit.ly-shortened URL (created Jan. 23, 2020) — hxxp://bit[.]ly/iaf-guidelines — which redirects to hxxp://tecbeck[.]com/IAP39031[.]docx.

It is highly likely that the attackers hosted the maldocs on a public server and distributed the direct or Bit.ly links to the targets in the form of spear-phishing emails. This may be done to bypass detection systems that scan email attachments for malware.

Stage 2: Dropper binary — IndigoDrop

The second-stage binary dropped to disk by the maldocs is a malicious dropper/loader we’re calling “IndigoDrop” designed to download and activate a customized Cobalt Strike beacon (final payload DLL) from another remote location.

Before we delve into a detailed analysis, some of the key operational features of IndigoDrop are:

• Highly modular in nature: IndigoDrop usually consists of three hardcoded locations that can be used to download and activate the next payload.
• In this attack, IndigoDrop utilizes both attacker-operated remote locations and public data hosting platforms such as pastebin[.]com to host the next stage payloads.It is highly likely that this dropper may download the final payload from these remote locations (likely done in other variants of the attack).
• However this instance of the attack downloads a Metasploit shellcode from the hardcoded remote locations. We will refer to this Metasploit shellcode as Stage 2A in this post (detailed later-on).The Metasploit shellcode (Stage 2A) is hosted in the form of a Base64 encoded string on the download locations. This shellcode is base64 decoded, unhexlified and executed on the endpoint as part of IndigoDrop’s execution.
  

Base64-encoded Metasploit shellcode:

Base64-decoded Metasploit shellcode:

IndigoDrop analysis

This dropper performs the following actions on the endpoint:

• Establish persistence using the registry Run key for itself in location:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run | iexplorer = cmd /c <file_path_of_Dropper> /onboot -hide

E.g.

• Download and execute the Stage 2A Metasploit shellcode.
• Anti-Infection Checks: Check the current Username, Computername, parent folder name, MAC addresses, Public IP addresses against a list of blocked values. If any of the values match, IndigoDrop quits (Blocked values listed in the IOC section).
  

Stage 2A: Metasploit (MSF) downloader shellcode

The Metasploit shellcode is a modified reverse HTTP stager meant to download a malicious file from the specified download location. This shellcode (stage 2A) is usually hosted on a public hosting site such as pastebin[.]com.

The malicious file downloaded is usually a copy of a trojanized jquery[.]min.js file. The malicious jQuery file consists of:

• Legitimate JavaScript (JS) code at the top and end of the file.
• At a specific offset in the file is yet another shellcode (referred to as Stage 3A).
  

The Metasploit HTTP stager carries out the following actions in sequence:

1. Connect to the malicious attacker-controlled IP address.
2. Download the malicious jquery-3.3.0.min[.]js file to an executable memory location.
3. Jump to the malicious shellcode embedded in the jquery file and start executing Stage 3A.
   

Malicious jquery file:

Stage 2A Metasploit shellcode downloading the jQuery file to executable memory and jumping to the specified offset:

Stage 3A: Decoder shellcode

The malicious jQuery file contains the decoder shellcode (Stage 3A) and the final Cobalt Strike beacon DLL. The beacon DLL is, however, XOR-encoded. It is the responsibility of the decoder shellcode to decode and activate this final payload in the dropper process’ memory.

Decoder shellcode decoding the final RAT payload:

Stage 3B: Cobalt Strike beacon

The final RAT payload is actually a Cobalt Strike beacon. Once the beacon DLL has been decoded, the decoder shellcode (Stage 3A) jumps to the beginning of the MZ in memory instead of going to the DllEntryPoint. This is done to calculate and jump to the address to the loader routine (usually also an exported subroutine) that will carry out reflective-DLL-loading of the Cobalt Strike beacon DLL in the dropper process’ memory.

Code beginning at the beacon’s base image calculating and jump to address of the reflective loader (via call ebx):

After the loader routine has completed setting up the DLL in memory (re-building Imports, base relocations, etc.) it will then jump to the DllEntryPoint (or DllMain) of the beacon to activate the final and most important stage of the infection — the actual RAT components of the beacon.

Configurations used

Cobalt Strike beacons use configurations specified via “.profile” files in the framework. These configurations describe various characteristics of the malicious payload (beacon binary) including:

• C2 configuration
• Communication protocols
• Process injection techniques, etc.
  

The profiles used in this attack by the beacon binaries attempt to mimic a legitimate jquery request. The most common configurations used in this attack were:

• Beacon type = HTTP
• CnC URL resource location = /jquery-3.3.1.min.js
• HTTP Post location = /jquery-3.3.2.min.js
• User Agent = Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36
• HTTP Get Metadata =

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Host: code.jquery.com
Referer: http://code.jquery.com/
Accept-Encoding: gzip, deflate
__cfduid=

Cookie

• HTTP Post Metadata =

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Host: code.jquery.com
Referer: http://code.jquery.com/
Accept-Encoding: gzip, deflate
__cfduid

• Idle DNS IP = 74[.]125.196.113 (google[.]com)
• Spawn processes =

%windir%\syswow64\dllhost.exe
%windir%\sysnative\dllhost.exe

• Process injection configuration =

ntdll:RtlUserThreadStart
CreateThread
NtQueueApcThread-s
CreateRemoteThread
RtlCreateUserThread

Capabilities

The Cobalt Strike beacons used in this attack support a wide variety of capabilities (also known as commands) including:

• Execution of arbitrary code in target processes via injection.
• Execution of arbitrary commands on the infected endpoint.
• Download and upload files.
• Impersonate users.
• Enumerate, copy, delete, timestomp files.
• Modify, query the Windows registry.
• Use of malleable jquery CnC profiles to impersonate legitimate traffic.
  

The overall infection chain is illustrated as follows:

Pastebin usage:

This attack utilizes pastebin[.]com extensively to host the Metasploit downloader shellcode (Stage 2A). The shellcode hosted on pastebin is either created through a guest account or owned by five registered accounts, specifically:

• hxxps://pastebin[.]com/u/r_ajeevshikra
• hxxps://pastebin[.]com/u/ra_jeevshikra
• hxxps://pastebin[.]com/u/raj_eevshikra
• hxxps://pastebin[.]com/u/raje_evshikra
• hxxps://pastebin[.]com/u/rajeev_shikra
  

Pastebin account operated by the attacker:

The base64-encoded Metasploit downloader shellcode (Stage 2A) hosted on Pastebin.

Python components

Talos also found Python-based modules related to this threat (pyinstaller EXEs). These modules may have been used in a different campaign or deployed by the Cobalt Strike beacons as part of this attack. Two python modules discovered served the following purposes:

• Gather initial system information and send it to the C2 server.
• Extract credentials from the infected system and print to console.
  

Sysinfo gathering capabilities of the Python modules:

Credentials stolen from the endpoint by the other python module were from:

• Google Chrome
• Microsoft Edge
• Opera
• Mozilla Firefox
• WiFi credentials
  

Credential-stealing module of the attack (snip):

Evolution of attacks

Talos discovered multiple variants of the attack instrumenting the Metasploit shellcode and ultimately activating the final payload (Cobalt Strike beacons).

This section shows the evolution of the attack and the introduction/modification of its features at different stages of the engineering process.

Apr. 2018: No droppers

This is the earliest discovered variant of the attack. The threat also begins with a maldoc containing a malicious macro. The payload dropped to disk is a “.crt” file. This file is decoded by the malicious macro using ‘certutil’ to obtain the next stage payload binary (EXE) which is then executed on the target endpoint.

The payload activated by the macro is not a dropper. This early variant of the attack does not utilize an intermediate dropper to download and activate the final beacon on the endpoint.

Instead, the binary decoded and executed on the endpoint by the malicious macro is just an SMB-based Cobalt Strike beacon. This SMB beacon continues to appear in maldocs created as late as September 2019.

May 2019: Cobalt Strike Macros

Around May 2019, the attackers tested the use of VBA macro based stagers generated by Cobalt Strike. This attack-chain consists of a maldoc with an embedded macro. The macro consists of code that can inject the hardcoded MSF downloader shellcode (Stage 2A) into a benign 32-bit process.

The macro code used to inject shellcode into rundll32.exe contacts the local team server 192[.]168.146.137/eKYS for infection tests:

Sept 2019: Test samples and embedded MSF shellcode

The attackers started experimenting with and testing custom droppers in September 2019 to include a new module — the next stage (Stage 2A) Metasploit downloader shellcode. The Metasploit downloader shellcode was embedded in the test samples and connected to a local IP address to download the third-stage payloads (Stages 3x). The dropper seen here is the earliest discovered instance of IndigoDrop.

Metasploit downloader connecting to a local IP in the dropper:

Sept. 2019: Productionized samples and embedded MSF shellcode

The attackers finalized their attack structure in September 2019 and started distributing copies of IndigoDrop. These droppers were based on earlier test samples (also built in September 2019) and similarly contained embedded MSF downloader shellcode. These droppers now connected to public IPs operated by the attackers to download the third-stage payloads.

September 2019: Python Downloaders; No MSF shellcode

Around the end of September 2019, the attackers started utilizing another infection tactic: The use of Python plus EXE-based downloaders/droppers.

These droppers were multi-staged where:

• The actual dropper was a malicious EXE file.
• This dropper would extract an embedded DLL and drop it to disk.
• The dropper then activates the DLL using rundll32.exe.
• The DLL is responsible for downloading and executing the third-stage payload from an attacker operated server.
• The DLL does this by executing minimal python code using the python27.dll library.
  

These droppers did not utilize the embedded MSF shellcode like their predecessors. Instead, the shellcode was hosted on an attacker-controlled and operated server.

Python code executed by the Python library in the downloader:

Decoded base64 Python code:

Oct. 2019: //Pastebin usage begins here

The attackers started using pastebin[.]com to host their MSF downloader shellcode (Stage 2A) in October 2019. The IndigoDrop samples built during this time period now also included the capabilities to persist another component of the infection (usually located at “%userprofile%\AppData\Local\Microsoft\svchost.exe” ) via registry and the Windows Startup folder:

IndigoDrop downloading the MSF shellcode from Pastebin:

Late October 2019 - Present: Multiple Pastebins and anti-Infection checks

Having realized the utility of Pastebin, the attackers upgraded their IndigoDrop implementations to use multiple Pastebins to download the MSF shellcode. The multiple pastes were meant to be backups of each other if any of them were removed. The attackers used a combination of Pastebins and attacker-operated download servers, as backups if the pastes were removed.

These IndigoDrop instances also introduced the Anti-Infection checks (detailed earlier) to the infection chain.

Base64-encoded Pastebin and attacker-downloaded URL in an IndigoDrop sample:

The evolution of attacks is illustrated here:

Conclusion

This investigation illustrates an attacker using multiple tools and techniques to implement their full attack chain. A variety of infection artifacts are utilized ranging from bespoke tools (IndigoDrop) to customizable adversarial tools (Cobalt Strike beacons). The attackers also use a combination of public and private servers to host their malicious payloads with a growing trend towards the sole usage of public servers.

The use of military-themed maldocs (lures) indicates that government and military organizations in South Asia may be the targets of this threat actor. The maldocs contain bonafide content and are most likely weaponized copies of benign documents known to peek the interests of their targets.

The attack variants discovered over time show us that the threat actor can evolve their TTPs in a short period of time. The earliest observable campaigns of this actor date back to April 2018 and continue to operate today along with the most recent evolutions of the attacks. Evidence of rapid ideation, testing and production of new and diversified modules and IndigoDrop iterations indicates highly motivated and agile adversaries. The use of adversarial frameworks like Cobalt Strike suggests that the attackers are looking to expand their malicious arsenal at a significant rate with self-authored and customizable artifacts.

Modern-day malware attack chains consist of multiple stages and operational entities. These artifacts and entities may be hosted locally or on remote servers. For example, this attack consists of multiple shellcodes hosted on remote locations downloaded by a local component (IndigoDrop) during runtime to instrument the attack chain. Thus, while network-based detection is important, it should be complemented with system behavior analysis and endpoint protections.

Coverage

Ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware detailed in this post. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Additional protections with context to your specific environment and threat data are available from the Firepower Management Center.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Cisco AMP users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click below:

Indicators Of Compromise (IOCs)

The following IOCs are related to this threat.

Maldoc Hashes

7a5b645a6ea07f1420758515661051cff71cdb34d2df25de6a62ceb15896a1b6
b11dbaf0dd37dd4079bfdb0c6246e53bc75b25b3a260c380bb92fcaec30ec89b
aeb38a11ffc62ead9cdabba1e6aa5fce28502a361725f69586c70e16de70df2c
71c88a59b16dbcf7f061d01ea2015658136a8d4af60beb01caa94eeb74c733cd
ab209db9694a3b69427fc5857a8a47d0822db4d8372434fc091dfc3e85510719
4a6990be2d43f482fe2ab377b5e798da47ba7e02f23dfb6dba26b5011e222d25
7deeb35d7e88b769d286cc7892ee5966a27c39f03c8ac12dec21733faeffa350

Dropper Hashes

3bb90869523233cf965cf4a171d255c891c0179afd6d28198aa2af4e934f0055
570ef552b426f8337514ebdcb5935a132e5a8851a7252528c49d6d0d4aba34d9
059606e707a90333528043bdefbc7a55a27205aabed0ccd46c3966c2a53eea4e
1cda23e924ca606593a31ad54973266676c6540487a3baa29992c172d380bbd6
23091a9383704d22468f6e54babd57e64ced344900e5d3d693daf8bf609c997b
a2bf84f96f8d616ea248ac8f7bbb9d31b22920be4b3991982be0a88326303470
3cfbf274265860f176d6dbfad4df45a9c6953b71f9f439c87aeac36b38fde5b5
c31afceaef91380c658e4d77a78689cafb0f4179f3b251200e969195cbf4cf7b
1c3f185951b21d35f13b2a999a5d4d6b6db8f4b913e3b198fb2c86d4cd0b7781
852d4c98a786cb2b0fb10b4513163e3934b66e4d95a66de8ddcc6abc066dc61d
78ff0507cac9828fb94595d702cd2c22b8bec7a57c2159b78c924c0d0d5f8ccb
e40bdd8ff9e6432008afd54d6d526049ac6bd925dadc2b5a38f78c96df950d1a
cc0787025b297ed80e322d30b655d7c84c7c3a0d18c2089b4f545a03214b7557
e2db20377e8cc65c4cf262df15e47fc21b9a9f83fb7931d44b8d28c6b9ffc0f1
a319395e6cf01edb4c6ca879f36a11f4cf33b58657de379123851c63da6a3ef4
bec281baf1312fd059a315d5890ac3c959909047b3473103b069e5ca2ba2fdd1
e9b00f6f47eb70b35713bf7afd345a197f6d290afb8d2684afd8345edc086b29
c9ee415401566139237b14373f6a7a36013b6af693c729b9a5c21cc40e0ad5c6
f9a344c251dc391c5d12e8011185fe033b5ae902c5a866ccd8d8b49881b17151
3e196c77c006e299f26fb05df15644366433fceed73219e0ba6acef0b881531b
5a1a9a6bfc422bd547536e340725328cb04fd72587d83f7e06682abdeddb69a7
95bb65edc9e8e070680e0c85f72927a2bbb553f96fc1078d85e7df7a02c15165
365af2ddad27701d9d17a069b21dc95d39a2d2c5f78bea655db9123ff05fe086
b9c703dba1977fb34e9f6ac49ccdd0efb752ed010939d54f30f8d91358a9214d
7b0494937fd5a2bedf94999553d37e6049e45b935732a594e833078ed483a5ed
d6f62ce9696887693081373b87792fa53617f8412fa8e6b1a7de1a01070a9bae
d3f3df7cf1ece2519829ee75d29ca054e8233896b7fe50b41eaafda497ff0498
82155aaf86ba3555d5e809500c67da51e1586a6a97a9755870e22900c8790019
b3650199d6713d669992eebb3c4f05c80a97c470596170b5be16257b73785957
8f1abb122f35e66f20bd345323fb5eb8dbdbde785137c80c1e55fdaf525520bd
aa05a822f26a493efb27046f772790cc67cca29cd9f842b7bc6df2b391ce2ff8
59fd696f95182be1a51011caec172c5461ddacd556a43c329d939842cf7e7d7f

Python module EXEs

3aa06700a22808978744aa83d9e084c358517f60525c89236f142b7aa2ce0bef
85e69341f2fe9b97cf0bc81dc63917e62bb17072bcd20fc6125d241623e68660
3066e859109397180c63797c4b779633569ac0c88b54c7cf73752f7895f39629
4260de850b4003c9d4663afea00ba57ec02761f687dba1117ded0a8b20c6b5bb
a657bb83fe62e4b555d20463bf090f3349e55e1560507f2197a42c2c3f152667
ce438b0d30dd1c221e3c7ab99585acb4254deaf68bdfb8fc73eb206d8fd04771

Cobalt Strike Beacon Hashes

482858b70888acf67a5c2d30ddee61ca7b57ff856feaad9a2fa2b5d4bc0bbd7d
689f7d3f0def72248c4ff4b30da5022ec808a20e99b139e097c2a0d0ba5bab66
dbb5bba499e0ab07e545055d46acf3f78b5ed35fff83d9c88ce57c6455c02091
e37a0b4145f22ce7f7478918320c019a6014060cb033aafec18a8d130c4c426b
4b0c2f790c7b9c84517648bb36964c859629736dab1fa5466d91bd23f69c9b55
c2d9bbd5163a8e733483bf5d0d4959f053a2307d275b81eb38e69d87f1f5df7e
a0cfec815cb74a7671265fd5e0790a2a79c05fe0ef16d2d0c87584049d06658b

Malicious JQuery Files containing the beacons

1ea22d132c1d478347d7e4e72d79bae29f18df9bec5a3016a5a9971f702a8095
b9efca96d451c0b4028b6081456c1ddd3035ab39e6a60bdd831bcf4a472a31ae
b081b818e5fbd5d2741822c9e161e536a8497764fab5ac79143614bbce8308f6
d2fd448a386416fdad0059be1bb61f49e99fc76e7efbd5f5e377dbbf6e7e3599
bdbc9dc2f2812a9808357aafe908e7206c9168bc7fea761dec871926de23eec0

Maldoc distribution URLs

hxxp://bit[.]ly/iaf-guidelines
hxxp://tecbeck[.]com/IAP39031[.]docx
hxxp://bitly[.]com/38A5BEO

Cobalt Strike beacon CnC URLs

hxxp://134[.]209.196.51/jquery-3.3.1.min.js
hxxp://134[.]209.196.51/jquery-3.3.2.min.js
hxxp://139[.]59.1.154/ca
hxxp://139[.]59.1.154/submit.php
hxxp://139[.]59.79.105/jquery-3.3.1.min.js
hxxp://139[.]59.79.105/jquery-3.3.2.min.js
hxxp://188[.]166.14.73/jquery-3.3.1.min.js
hxxp://188[.]166.14.73/jquery-3.3.2.min.js

IP Addresses

134[.]209.196.51
134[.]209.200.91
139[.]59.1.154
139[.]59.79.105
139[.]59.81.167
157[.]245.78.153
165[.]22.201.190
178[.]62.210.85
188[.]166.14.73
188[.]166.25.156
202[.]59.79.131

MSF shellcode URLs

hxxp://139[.]59.1.154:8201/cmelkmkl.txt
hxxp://157[.]245.78.153/11.txt
hxxp://157[.]245.78.153/12.txt
hxxp://157[.]245.78.153/21.txt
hxxp://157[.]245.78.153/22.txt
hxxp://157[.]245.78.153/31.txt
hxxp://157[.]245.78.153/32.txt
hxxp://157[.]245.78.153/41.txt
hxxp://157[.]245.78.153/42.txt
hxxp://157[.]245.78.153/51.txt
hxxp://157[.]245.78.153/52.txt
hxxp://202[.]59.79.131/7XyT
hxxp://202[.]59.79.131/o2Q7NGUwpFfDzcLMnkuMyAy-IGt8KERPl-6lrRhxcbPJkZwAr33
hxxp://202[.]59.79.131:8080/8g-QvDrvM4hSI0c3D6iC8Aib6wZbs

jQuery/Decoder shellcode URLs

hxxp://134[.]209.196.51/jquery-3.3.0.min.js
hxxp://134[.]209.200.91/jquery-3.3.0.min.js
hxxp://139[.]59.1.154/ToKN
hxxp://139[.]59.79.105/jquery-3.3.0.min.js
hxxp://139[.]59.81.167/jquery-3.3.0.min.js
hxxp://165[.]22.201.190/jquery-3.3.0.min.js
hxxp://188[.]166.14.73/jquery-3.3.0.min.js
hxxp://188[.]166.25.156/jquery-3.3.0.min.js
hxxp://202[.]59.79.131/YZn_pcfLiUILewp6Vuku9gvUqfMFnPLBP5Aju9QS709n4zRAd-3e4IuPF5kv0uhXSAiJqurq5yPJ-B9zSZ5rHig07RcWcQPIPD04YZhq1JCGWwYI-AfFFHI0qj4LRDhsuaBdQEihGmxzZ8obxUbv5RUfaxm7XwOkWJK8D9xK5gibPGGBiNs41hYB0Kar325FCcCJAIFIzWOw9WLOt6EfrWaEO69aHp

MSF shellcode Pastebin URLs

hxxps://pastebin[.]com/raw/zT57Pkzj
hxxps://pastebin[.]com/raw/kf3y5uzt
hxxps://pastebin[.]com/raw/ftfSHyPz
hxxps://pastebin[.]com/raw/hAKzruWe
hxxps://hastebin[.]com/raw/ufaxamogav
hxxps://pastebin[.]com/raw/KzmUrrnB
hxxps://pastebin[.]com/raw/aMfFtqjq
hxxps://pastebin[.]com/raw/Q6bMcduX
hxxps://pastebin[.]com/raw/7VmV7jXA
hxxps://pastebin[.]com/raw/8E8YCryu
hxxps://pastebin[.]com/raw/1tKX0v5U
hxxps://pastebin[.]com/raw/kpn2k1jc
hxxps://pastebin[.]com/raw/xiV89Xa9
hxxps://pastebin[.]com/raw/ZMTjGJUn
hxxps://pastebin[.]com/raw/CRuQvJk1
hxxps://pastebin[.]com/raw/zbL0w8sm
hxxps://pastebin[.]com/raw/yP7eQKsv
hxxps://pastebin[.]com/raw/1Q7jYDmz
hxxps://pastebin[.]com/raw/vc8TUZPN
hxxps://pastebin[.]com/raw/R0HzuGWE
hxxps://pastebin[.]com/raw/ehQyY1YX
hxxps://pastebin[.]com/raw/LRztjgkq
hxxps://pastebin[.]com/raw/QyDZhfer
hxxps://pastebin[.]com/raw/MQUG0Q07
hxxps://pastebin[.]com/raw/LtVteHbz
hxxps://pastebin[.]com/raw/k2PQZqzF
hxxps://pastebin[.]com/raw/azzHZ11B
hxxps://pastebin[.]com/raw/4u1ScSn7
hxxps://pastebin[.]com/raw/5tSnVWcn
hxxps://pastebin[.]com/raw/a0kPq7bq
hxxps://pastebin[.]com/raw/cK8nhTYw
hxxps://pastebin[.]com/raw/p34D4vbL
hxxps://pastebin[.]com/raw/YVvG43bi
hxxps://pastebin[.]com/raw/iyKjw7jR
hxxps://pastebin[.]com/raw/0hAzfmrR
hxxps://pastebin[.]com/raw/aGSg1f3Y
hxxps://pastebin[.]com/raw/i5JkU138
hxxps://pastebin[.]com/raw/LQjs18Cy
hxxps://pastebin[.]com/raw/rHeWv7t0
hxxps://pastebin[.]com/raw/bqL6CSp3
hxxps://pastebin[.]com/raw/WJFvRHXv

IndigoDrop’s anti-infection checks

Usernames blocked

admin
8a3YwFo8xYlc
iBqxaDRj5T
dPNNfpR
fnIcszErnay
y9NzUJ
0sNBuzz63Nl8
ZJsji0QShXfiM
3ALPeOppOKOEk
C4EZdigYE64r
0M7vKY
6oVAnp
A0T6Z0j1NFrrQ
Johnson
Olivia
Vh2ij
5Li9Ls
yMBCh9wwy
FWpuxsyMQZZNW
Admin
Lisa
QYbRCr
TyLbns
H0USlDC58dVLE
RmJCA
Administrator_

Computer names blocked

user-pc
8a3YwFo8xYlc-PC
iBqxaDRj5T-PC
dPNNfpR-PC
fnIcszErnay-PC
y9NzUJ-PC
0sNBuzz63Nl8-PC
AVN671124898447
GXKKQO724201067
art-PC
C4EZdigYE64r-PC
0M7vKY-PC
6oVAnp-PC
TFT153265618011
AXWF10479288957
Johnson-PC
Desktop-HRW10
Vh2ij-PC
5Li9Ls-PC
yMBCh9wwy-PC
PGHFTIGN5920348
CPCTBGSA2018901
ADMINIS-HJ9SRP3
Lisa-PC
QYbRCr-PC
TyLbns-PC
SESW54921970303
RmJCA-PC

Immediate parent folder names blocked

Downloads
mydownload
Desktop
system32
Temp

MAC addresses blocked

00[:]07:e9:e4:ce:4d
60[:]02:92:e5:2f:30
60[:]02:92:77:fc:94
52[:]54:00:12:34:56
08[:]00:27:55:12:e3
60[:]02:92:89:76:36
00[:]00:00:00:00:00:00:e0

IP Addresses blocked

51[.]68.93.185
79[.]104.209.156
89[.]208.29.214
95[.]25.130.162
51[.]15.76.60
62[.]102.148.68
207[.]102.138.40
51[.]83.15.56
109[.]70.100.24
109[.]70.100.29
128[.]90.148.185
78[.]142.19.43
46[.]165.254.166
221[.]191.21.11
153[.]201.39.205
92[.]211.106.185
51[.]68.91.152
89[.]208.29.215
185[.]220.101.35
95[.]26.100.11