Researchers have uncovered a massive, tangled web of infrastructure being employed to enable a vast wide range of cyberattacks.
3 independent threat groups are all using a frequent preliminary obtain broker (IAB) to enable their cyberattacks, according to scientists – a locating that has disclosed a tangled web of similar attack infrastructure underpinning disparate (and in some situations rival) malware strategies.
The BlackBerry Investigation & Intelligence Team has found that the ransomware teams identified as MountLocker and Phobos, as effectively as the StrongPity sophisticated persistent danger (APT), have all partnered with an IAB menace actor that BlackBerry has dubbed Zebra2104.
IABs compromise the networks of various organizations via exploitation, credential-stuffing, phishing or other signifies, then create persistent backdoors to keep entry. Then, they offer that accessibility to the optimum bidder on several Dark Web forums. These “customers” will then use that accessibility to carry out comply with-on assaults, these kinds of as espionage strategies, botnet infections or ransomware hits. According to BlackBerry, the rate for these access ranges from as minimal as $25 to hundreds of bucks to enter huge companies.
“This discovery introduced a good option for us to understand the attribution of IABs,” the firm famous in a posting on Friday. “Performing intelligence correlation can enable us build a clearer photo of how these disparate threat groups create partnerships and share means to further enrich their nefarious plans.”
Interwoven Infrastructure Serves Up Cobalt Strike
The very first hint of Zebra2104’s existence arrived when BlackBerry scientists noticed a solitary web domain (trashborting[.]com) serving Cobalt Strike beacons. Beacons are capable of executing PowerShell scripts, logging keystrokes, using screenshots, downloading files and spawning other payloads.
The trashborting.com domain experienced been registered in July 2020 with a ProtonMail email handle (ivan.odencov1985[at]protonmail[.]com), which was also utilized to register two more sister domains on the very same day. A person of these, supercombinating[.]com, was listed in March by Sophos as an indicator of compromise (IOC) for the MountLocker ransomware-as-a-company group.
MountLocker, which has been about since July 2020, generally leverages Cobalt Strike beacons to equally distribute laterally and propagate ransomware within just a victim’s network. Sophos scientists experienced noticed supercombinating[.]com as remaining applied as the Cobalt Strike server for a single of the group’s campaigns.
BlackBerry scientists then turned knowledgeable of inbound links to the StrongPity APT, which has been all-around considering that 2012, using watering-hole attacks (and using a combination of imitation internet websites and redirects) to deliver trojanized variations of different commonly employed utilities, like WinRAR, Internet Down load Manager and CCleaner.
“We discovered that supercombinating[.]com experienced also solved to the IP address 91.92.109[.]174, which alone had hosted the area mentiononecommon[.]com,” BlackBerry scientists stated. “In June of 2020, Cisco’s Talos Intelligence noted mentiononecommon[.]com as a StrongPity C2 server. The domain also served a few documents linked to StrongPity, one particular of which was [a] trojanized variation of the Internet Download Manager utility.”
But that wasn’t all – a backlink to the Phobos ransomware also introduced alone, in the type of a tweet from The DFIR Report naming supercombinating[.]com as the server in a modern Phobos campaign – a locating that BlackBerry confirmed. Phobos normally goes after little-to-medium-sized corporations across a wide variety of industries, with its regular ransom payment been given staying about $54,000 in July, analysts mentioned.
This is what it looks like when actors go fingers-on-keyboard for ransomware assaults.
Also related: challparty[.]com https://t.co/WVfKsQYddg
— Paul Melson (@pmelson) August 2, 2020
Also of note: The researchers were also equipped to backlink trashborting[.]com to a destructive spam infrastructure earlier documented by Microsoft. It is been associated in Emotet and Dridex strategies, as well as a September 2020 phishing marketing campaign that targeted Australian entities, equally in the governmental and private sector.
Relevant Menace Teams or Offer-Chain Evidence?
The use of a common infrastructure to assist so lots of disparate activities lifted issues for the BlackBerry group, starting off with the rival ransomware choices.
“Were MountLocker and Phobos potentially linked? Have been two unique ransomware teams running from the same infrastructure?” scientists puzzled. “This new facts introduced a bit of a conundrum. If MountLocker owned the infrastructure, then there would be a slender chance of an additional ransomware operator also performing from it.”
In the situation of StrongPity, which specializes in espionage and is probable country-state backed, the motives do not align with opportunistic, monetarily enthusiastic ransomware gangs, adding a lot more head-scratching to the proceedings.
“With 3 seemingly unrelated risk teams utilizing and sharing overlapping infrastructure, we asked ourselves the query, What is the most plausible explanation for these peculiar one-way links?” scientists claimed. “We concluded that this was not the get the job done of the three groups alongside one another, but of a fourth participant an IAB we dubbed Zebra2104, which delivered the preliminary accessibility into sufferer environments.”
In guidance of this concept, BlackBerry pointed out that all of the interrelated domains resolved to IPs that were offered by the exact same Bulgarian Autonomous System Quantities (ASN), which belongs to Neterra Ltd.
“Neterra is not recognized to be a bulletproof hosting supplier it’s more likely that it is staying abused to aid this destructive action,” according to the report. “The point that all these IPs are on the exact same ASN aids us bind jointly the theory that this is in simple fact all the get the job done of one menace team, underpinning the procedure of the groups it sells its access to.”
Booming Sector for Initial Obtain
It is most likely that Zebra2104 props up quite a few additional cyberattack groups than those people included in this first investigation, specifically given that pulling on more threads of the infrastructure unveiled a tangled and widespread apparatus.
For instance, two new domains registered in July (ticket-just one-two[.]com and scheduling-gross sales[.]com), were being found to resolve to the similar IP handle as trashborting[.]com (87.120.37[.]120). Additional inspection showed that booking-sales[.]com had served “one particular product of be aware,” according to BlackBerry: A little, 13KB transportable executable (PE) file that proved to be a shellcode loader. This loader turned out to be loading a shellcode Cobalt Strike DNS stager, which is made use of to down load a Cobalt Strike beacon via DNS TXT documents.
In June, Proofpoint noted that at minimum 10 danger actors are supplying initial-accessibility expert services on the main Dark Web discussion boards, utilizing malicious email links and attachments to implant trojans like TrickBot to build backdoors. About 20 percent of the malware found in the initially fifty percent of 2021 infiltrated networks this way, Proofpoint discovered.
The development is not heading everywhere, and should really be anticipated to swell going into the new calendar year, BlackBerry warned.
“As we delved into and peeled off just about every overlapping layer all over our investigation, it appeared at times that we were simply scratching the surface of these kinds of collaborations,” scientists concluded. “There is definitely a veritable cornucopia of risk groups working in cahoots…If nearly anything, it is secure to suppose that these threat team ‘business partnerships’ are heading to become even additional commonplace in foreseeable future.”
Want to win back management of the flimsy passwords standing concerning your network and the up coming cyberattack? Be part of Darren James, head of inner IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to discover out how through a absolutely free, Dwell Threatpost event, “Password Reset: Proclaiming Management of Credentials to Halt Attacks,” on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.
Register NOW for the Dwell event and submit inquiries in advance of time to Threatpost’s Becky Bracken at [email protected].
Some parts of this article are sourced from:
threatpost.com