![]() ![]() The domain also served three files related to StrongPity, one of which was trojanized version of the Internet Download Manager utility.”īut that wasn’t all – a link to the Phobos ransomware also presented itself, in the form of a tweet from The DFIR Report naming supercombinatingcom as the server in a recent Phobos campaign – a finding that BlackBerry confirmed. “In June of 2020, Cisco’s Talos Intelligence reported mentiononecommoncom as a StrongPity C2 server. ![]() “We noticed that supercombinatingcom had also resolved to the IP address 74, which itself had hosted the domain mentiononecommoncom,” BlackBerry researchers explained. Sophos researchers had observed supercombinatingcom as being used as the Cobalt Strike server for one of the group’s campaigns.īlackBerry researchers then became aware of links to the StrongPity APT, which has been around since 2012, using watering-hole attacks (and employing a combination of imitation websites and redirects) to deliver trojanized versions of various commonly used utilities, like WinRAR, Internet Download Manager and CCleaner. MountLocker, which has been around since July 2020, typically leverages Cobalt Strike beacons to both spread laterally and propagate ransomware within a victim’s network. One of these, supercombinatingcom, was listed in March by Sophos as an indicator of compromise (IOC) for the MountLocker ransomware-as-a-service group. The domain had been registered in July 2020 with a ProtonMail email address (ivan.odencov1985protonmailcom), which was also used to register two additional sister domains on the same date. Beacons are capable of executing PowerShell scripts, logging keystrokes, taking screenshots, downloading files and spawning other payloads. The first hint of Zebra2104’s existence came when BlackBerry researchers observed a single web domain (trashbortingcom) serving Cobalt Strike beacons. ![]() “Performing intelligence correlation can help us build a clearer picture of how these disparate threat groups create partnerships and share resources to further enhance their nefarious goals.” Interwoven Infrastructure Serves Up Cobalt Strike “This discovery presented a great opportunity for us to understand the attribution of IABs,” the firm noted in a posting on Friday. According to BlackBerry, the price for such access ranges from as little as $25 to thousands of dollars to enter large corporations. These “customers” will then use that access to carry out follow-on attacks, such as espionage campaigns, botnet infections or ransomware hits. ![]() Then, they sell that access to the highest bidder on various Dark Web forums. IABs compromise the networks of various organizations through exploitation, credential-stuffing, phishing or other means, then establish persistent backdoors to maintain access. The BlackBerry Research & Intelligence Team has found that the ransomware groups known as MountLocker and Phobos, as well as the StrongPity advanced persistent threat (APT), have all partnered with an IAB threat actor that BlackBerry has dubbed Zebra2104. Three separate threat groups are all using a common initial access broker (IAB) to enable their cyberattacks, according to researchers – a finding that has revealed a tangled web of related attack infrastructure underpinning disparate (and in some cases rival) malware campaigns. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |