![]() “ These Dridex campaigns utilized an Emotet loader and initial infrastructure for hosting, allowing the attackers to conduct a highly modular email campaign that delivered multiple distinct links to compromised domains. ![]() In addition, the last portion of the embedded malicious links - “zpsxxla.php” and “zxlbw.php” - also appear in the Microsoft blog, and are mentioned as part of a Dridex campaign from September 2020 that was described by Microsoft as follows: Sent from an address originating from the “zensingergyus” domain, this email contained a similar embedded link: “ hxxps//magestyin-expeditioncom/zxlbw.php.” ![]() The interlinking relationships between all these domains can be seen in Figure 1 below.įigure 3 - Phishing email targeting an Australian Government Agency The Microsoft 365 Defender Threat Intelligence Team found that these servers had been serving malspam that resulted in varying ransomware payloads, such as Dridex, which we were able to corroborate. These domains popped up previously in a Microsoft blog titled: “ What tracking an attacker’s email infrastructure tells us about persistent cybercriminal operations. By digging into the domain registrant information, we found that this email address had registered eight additional. By examining the WHOIS information for these servers, we discovered that both domains were registered on by the email address georgesdesjardins285link. Rediscovering Malicious Spam InfrastructureĮach of the aforementioned domains had a mail server and associated MX record, meaning they had the capability to send emails en masse. These IP addresses had also hosted two domains with the. The domain trashbortingcom had previously resolved to this IP address, as well as the neighboring IP 87.120.37119. One such Beacon served from the IP 87.120.37120 had trashbortingcom specified as the C2 server in its configuration. We also identified multiple Beacons containing differing configuration data that was reaching out to this same domain, during April and August of this year. In April of 2021, we observed the domain trashbortingcom serving Cobalt Strike Beacons. Now, let’s explore what we found! It All Begins with Cobalt Strike A more comprehensive set of findings will come in a follow-up piece in the near future. In this first installment, we will document the tip of this iceberg. There is undoubtedly a veritable cornucopia of threat groups working in cahoots, far beyond those mentioned in this blog. Performing intelligence correlation can help us build a clearer picture of how these disparate threat groups create partnerships and share resources to further enhance their nefarious goals.Īs we delved into and peeled off each overlapping layer throughout our investigation, it appeared at times that we were merely scratching the surface of such collaborations. This discovery presented a great opportunity for us to understand the attribution of IABs. Later, the winning bidder will often deploy ransomware and/or other financially motivated malware within the victim’s organization, depending on the objectives of their campaign. IABs typically first gain entry into a victim’s network, then sell that access to the highest bidder on underground forums located in the dark web. The path also revealed what we believe to be the infrastructure of an IAB: Zebra2104. This single domain led us down a path where we would uncover multiple ransomware attacks, and an APT command-and-control (C2). When conducting research for our book, “ Finding Beacons in the Dark: A Guide to Cyber Threat Intelligence ,” we stumbled upon a domain that piqued our interest due to its similarity to a naming convention that we’d seen in a previous threat hunt. Once we look at each piece in context, we can better assess the full ramifications of these discoveries, and project what is yet to come. In this post, we will discuss what led us to these findings, what an IAB is, and how each piece fits into the puzzle. While it might seem implausible for criminal groups to be sharing resources, we found these groups had a connection that is enabled by a fourth a threat actor we have dubbed Zebra2104, which we believe to be an Initial Access Broker (IAB). The BlackBerry Research & Intelligence Team has uncovered an unusual connection between the actions of three distinct threat groups, including those behind financially-motivated ransomware such as MountLocker and Phobos, as well as the espionage-related advanced persistent threat (APT) group known as StrongPity.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |