Full Report
Contents Introduction Key Targets Industries Affected Geographical focus Infection Chain. Initial Findings Looking into the decoy-document Technical Analysis Stage 1 – Malicious ISO File Stage 2 – Malicious LNK File Stage 3 – Final Payload: FALSECUB Infrastructure & Attribution Conclusion SEQRITE Protection. IOCs MITRE ATT&CK. Authors Introduction The SEQRITE Labs APT Team has been analyzing […] The post Operation Nomad Leopard: Targeted Spear-Phishing Campaign Against Government Entities in Afghanistan appeared first on Blogs on Information Technology, Network & Cybersecurity | Seqrite.
Analysis Summary
# Threat Actor: Nomad Leopard
## Attribution & Identity
The threat actor is described as a threat group actively being tracked by the SEQRITE Labs APT Team. No formal, established threat actor name (like APT33 or Lazarus) is assigned in the primary description, so they are referenced by the campaign name: **Nomad Leopard**. The analysis suggests the actor is not highly sophisticated but possesses varied government-related lure documents for future use.
## Activity Summary
The threat group was tracked conducting "Operation Nomad Leopard," a targeted spear-phishing campaign against **Afghan government employees**. The campaign relies on sophisticated lures mimicking official governmental documents to entice victims. The overall operation involves leveraging legitimate platforms like GitHub for file distribution.
## Tactics, Techniques & Procedures
- **Initial Access:** Spearphishing attachments (T1566.001), relying on user execution (T1204.002).
- **Defense Evasion:** Leveraging ISO container files to bypass Mark-of-the-Web restrictions (T1553.005). The final payload is disguised as an image file (`img.jpg`).
- **Execution:** Use of malicious LNK files to execute the payload. Use of Windows Command Shell (T1059.003).
- **Discovery:** System Information Discovery (T1082), System Owner/User Discovery (T1033), File and Directory Discovery (T1083), Disk Enumeration (T1086).
- **Command and Control (C2):** Use of web protocols (T1071.001) via encrypted channels (T1573).
- **Exfiltration:** Exfiltration over C2 Channel (T1041) and Automated Exfiltration (T1020).
- **Impact:** Data Destruction (T1485).
- **Persistence:** Potential use of Startup Folder Execution (T1547.001) (implied by TTP list).
- **File Cleaning:** File Deletion (T1070.004).
## Targeting
- **Sectors:** Government Sector Organizations.
- **Geography:** Afghanistan. The article notes this campaign specifically targeted Afghan ministries and administrative offices, but suggests the actor "may be targeting other countries as well."
- **Victims:** Government officials within ministries and administrative offices of the Islamic Emirate of Afghanistan.
## Tools & Infrastructure
- **Malware Families Used:** The final payload is named **FALSECUB** (a C++ executable).
- **Infrastructure:**
- Initial distribution used files hosted on **GitHub**.
- File distribution link shortened via **TinyURL**.
- Potential C2/Hosting domains observed: `theepad0loc93x[.]ddns[.]net`.
- Observed C2/Hosting IP addresses: `104[.]18[.]38[.]233`, `207[.]244[.]230[.]94`.
- Specific GitHub repository observed: `hxxps://raw.githubusercontent[.]com/afghanking777000/-/refs/heads/main/Afghanistan%20Islami%20Emirates.iso`
## Implications
The campaign demonstrates a targeted approach against government entities using culturally and professionally relevant lures (documents written in Pashto with official formatting, referencing the Prime Minister's Office). The actor employs a multi-stage infection chain utilizing ISO files to bypass common security mechanisms. The inclusion of Data Destruction in the TTP profile suggests a potential disruptive or destructive intent beyond simple espionage.
## Mitigations
Specific advice based on the infection chain:
1. Enhance scrutiny of emails containing documents embedded within ISO files.
2. Implement security measures capable of analyzing and blocking execution from LNK files embedded within archives.
3. Ensure Mark-of-the-Web (MOTW) protections are not bypassed by mounted virtual drives (ISO/IMG files).
4. Implement robust endpoint detection covering the execution of files disguised as images (e.g., `img.jpg` being an executable).