Names | Cold River (Lastline) Nahr el bared (original place) Nahr Elbard (transliteration) Cobalt Edgewater (SecureWorks) | |
Country | [Unknown] | |
Motivation | Information theft and espionage | |
First seen | 2019 | |
Description | (Lastline) While reviewing some network anomalies, we recently uncovered Cold River, a sophisticated threat actor making malicious use of DNS tunneling for command and control activities. We have been able to decode the raw traffic in command and control, find sophisticated lure documents used in the campaign, connect other previously unknown samples, and associate a number of legitimate organizations whose infrastructure is referenced and used in the campaign. The campaign targets Middle Eastern organizations largely from the Lebanon and United Arab Emirates, though, Indian and Canadian companies with interests in those Middle Eastern countries are also targeted. There are new TTPs used in this attack – for example Agent_Drable is leveraging the Django python framework for command and control infrastructure, the technical details of which are outlined later in the blog. | |
Observed | Countries: Canada, India, Lebanon, UAE and Middle East. | |
Tools used | DNSpionage. | |
Information | <https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/> |
Last change to this card: 07 January 2021
Download this actor card in PDF or JSON format
Previous: Cobalt Group
Next: Comment Crew, APT 1
Thailand Computer Emergency Response Team (ThaiCERT) Follow us on![]() ![]() |
Report incidents |
|
![]() |
+66 (0)2-123-1234 | |
![]() |
report@thaicert.or.th | |
![]() |
Download PGP key |