Categories
Cyber Security

BlackBerry report highlights preliminary entry dealer offering entry to StrongPity APT, MountLocker and Phobos ransomware gangs

A new report from BlackBerry has uncovered an preliminary entry dealer known as “Zebra2104” that has connections to a few malicious cybercriminal teams, a few of that are concerned in ransomware and phishing. 

The BlackBerry Analysis & Intelligence crew discovered that Zebra2104 offered entry factors to ransomware teams like MountLocker and Phobos in addition to the StrongPity APT. The entry was offered to a lot of firms in Australia and Turkey that had been compromised.

The StrongPity APT focused Turkish companies within the healthcare house in addition to smaller firms. BlackBerry stated that from their analysis, they consider the entry dealer “has a number of manpower or they’ve arrange some massive ‘hidden in plain sight’ traps throughout the web.”

The report stated their investigation led them to consider that the MountLocker ransomware group had been working with StrongPity, an APT group relationship again to 2012 that some alleged was a Turkish state-sponsored group. 

zebra2104-fig08.png

International locations attacked by StrongPity.


BlackBerry

“Whereas it might sound implausible for felony teams to be sharing assets, we discovered these teams had a connection that’s enabled by a fourth; a menace actor we’ve got dubbed Zebra2104, which we consider to be an Preliminary Entry Dealer (IAB). There may be undoubtedly a veritable cornucopia of menace teams working in cahoots, far past these talked about on this weblog,” the researchers stated, noting that they found the group whereas conducting analysis for a guide about cyber menace intelligence.

“This single area led us down a path the place we’d uncover a number of ransomware assaults, and an APT command-and-control (C2). The trail additionally revealed what we consider to be the infrastructure of an IAB — Zebra2104. IABs usually acquire entry right into a sufferer community then promote that entry to the best bidder on underground boards positioned at nighttime net. Later, the profitable bidder will deploy ransomware and/or different financially motivated malware inside the sufferer’s group, relying on the goals of their marketing campaign.” 

Their analysis started in April 2021, once they found curious habits from domains that have been recognized beforehand in a Microsoft report on servers that “had been serving malspam that resulted in various ransomware payloads, reminiscent of Dridex, which we have been in a position to corroborate.”

A number of of the domains had been concerned in a phishing marketing campaign that went after state authorities departments in Australia in addition to actual property firms there in September 2020. With the assistance of different Microsoft stories, the researchers have been in a position to hint the campaigns additional to an indicator of compromise of a MountLocker intrusion.

Sophos has supposed that the MountLocker group has hyperlinks to, or has actually change into, the not too long ago emerged AstroLocker group. It’s because one of many group’s ransomware binaries has been linked to a assist web site of AstroLocker. It is doable that this group is making an attempt to shed any notoriety or baggage that it had garnered via its earlier malicious actions,” the report added after explaining a lot of technical hyperlinks between the 2 teams. 

The BlackBerry Analysis & Intelligence crew then used WHOIS registrant info and different information that led them to find ties between the Phobos ransomware and MountLocker. 

“This new info introduced a little bit of a conundrum. If MountLocker owned the infrastructure, then there can be a slim probability of one other ransomware operator additionally working from it (though it has occurred earlier than). In a number of cases, a delay was noticed between an preliminary compromise utilizing Cobalt Strike and additional ransomware being deployed. Primarily based on these components, we are able to infer that the infrastructure just isn’t that of StrongPity, MountLocker, or Phobos, however of a fourth group that has facilitated the operations of the previous three. That is both finished by offering preliminary entry, or by offering Infrastructure as a Service (IaaS),” the report stated. 

“An IAB performs step one within the kill chain of many assaults; that is to say they acquire entry right into a victims’ community via exploitation, phishing, or different means. As soon as they’ve established a foothold (i.e., a dependable backdoor into the sufferer community) they then record their entry in underground boards on the darkish net, promoting their wares within the hopes of discovering a potential purchaser. The value for entry ranges from as little as $25, going as much as 1000’s of {dollars}.” 

Many IABs base their worth on the annual income that the sufferer group generates, making a bidding system that permits any group to deploy no matter they need. 

zebra2104-fig12.png

BlackBerry

“This may be something from ransomware to infostealers, and the whole lot in between. We consider that our three menace actors — MountLocker, Phobos and StrongPity, on this occasion – sourced their entry via these means,” The BlackBerry Analysis & Intelligence crew defined.

The report notes that the domains resolved to IPs that have been offered by the identical Bulgarian ASN, Neterra LTD. Whereas they questioned whether or not the entry dealer was primarily based in Bulgaria, they surmised that the corporate was merely being taken benefit of. 

The researchers stated the “interlinking net of malicious infrastructure” described all through the report confirmed that cybercriminal teams mirrored the enterprise world in that they’re run like multinational enterprises. 

“They create partnerships and alliances to assist advance their nefarious objectives. If something, it’s protected to imagine that these ‘enterprise partnerships’ are going to change into much more prevalent in future,” the researchers stated. 

“To counter this, it’s only through the monitoring, documenting, and sharing of intelligence in relation to those teams (and plenty of extra) that the broader safety neighborhood can monitor and defend towards them. This cooperation will proceed to additional our collective understanding of how cybercriminals function. If the unhealthy guys work collectively, so ought to we!”

Source link