Researchers: Booming Cyber-Underground Market for Initial-Access Brokers

Ransomware gangs are increasingly buying their way into corporate networks, purchasing access from ‘vendors’ that have previously installed backdoors on targets.

It’s well known that email is often the gateway for cybercriminals looking to infiltrate a corporate network. But rather than do the heavy lifting themselves, ransomware gangs are buying their way onto networks, partnering with other criminal groups that have already paved the way for entry with first-stage malware, researchers have found.

Researchers from Proofpoint have uncovered a “lucrative criminal ecosystem” that works together to mount successful ransomware attacks, like the ones that have made headlines (Colonial Pipeline) and caused significant disruption around the world recently, according to a report from the cybersecurity firm published Wednesday.

Before the ultimate ransomware payload hits the network, known ransomware gangs such as Ryuk, Egregor and REvil first team up with threat actors who specialize in initial infection using various forms of malware — such as TrickBot, BazaLoader and IcedID, according to the report.

“Ransomware operators often buy access from independent cybercriminal groups who infiltrate major targets, and then sell access to the ransomware actors for a slice of the ill-gotten gains,” according to the report. “Cybercriminal threat groups already distributing banking malware or other trojans may also become part of a ransomware affiliate network.”

Specifically, Proofpoint tracks at least 10 threat actors who use malicious email campaigns to distribute first-stage loaders via various tactics, that ransomware groups then take advantage of to deliver the ultimate payload.

The relationship between these threat actors and ransomware groups is not one-to-one, however, researchers found, as multiple threat actors use the same payloads for ransomware distribution.

“Ransomware is rarely distributed directly via email,” according to the report. “Just one ransomware strain accounts for 95 percent of ransomware as a first-stage email payload between 2020 and 2021.”

Moreover, banking trojans (TrickBot, Emotet) seem to be the preferred initial method of choice for these access brokers to establish backdoors using malicious email links and attachments, with about 20 percent of the malware seen in the first half of 2021 infiltrating networks this way, researchers found.

Proofpoint has also observed evidence of ransomware deployed via malware called SocGholish, which uses fake updates and website redirects to infect users, as well as via Keitaro traffic distribution system (TDS) and follow-on exploit kits that operators use to evade detection, researchers said.

Attackers and Malware of Choice

Specifically, Proofpoint in the report links 10 threat actors that researchers have been tracking as initial access facilitators to their malware and tactics of choice for establishing network access, which they then sell to various ransomware groups for further nefarious purposes.

TA800 is a large cybercrime actor that Proofpoint has tracked since mid-2019 that distributes banking malware or malware loaders, including TrickBot, BazaLoader, Buer Loader and Ostap, to the Ryuk ransomware gang, researchers found.

TA577 is a prolific cybercrime threat actor tracked by Proofpoint since mid-2020 that “conducts broad targeting across various industries and geographies” to deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif and Cobalt Strike, via emails with malicious Microsoft Office attachments. The Sodinokibi or REvil ransomware group is affiliated with TA577, which has seen a boost in activity of 225 percent in the last six months, according to the report.

TA569, tracked since 2018 but known to be active since 2016, is a traffic and load seller known for compromising content-management servers and injecting and redirecting web traffic to a social-engineering kit, according to the report.

The threat actor is associated with WastedLocker ransomware campaigns that appeared in 2020 that leveraged the SocGholish fake update framework for payload distribution, and also has connections to Russia’s infamous cybercrime gang Evil Corp, researchers found.

Proofpoint has tracked TA551 since 2016. The threat actor typically use thread hijacking to distribute malicious Office documents via email to distribute Ursnif, IcedID, Qbot and Emotet. Specifically, the Maze and Egregor gangs leveraged the group’s use of IcedIT in 2020 to deliver ransomware, according to researchers.

TA570, tracked since 2018, is one of the largest Qbot malware affiliates in campaigns to deliver ProLocker and Egregor ransomware, likely using compromised WordPress sites or file-hosting sites to host their payloads, according to Proofpoint.

Another group, TA547, has been seen distributing primarily banking trojans to various geographic regions including ZLoader, TrickBot and Ursnif, that are later leveraged by ransomware gangs. Activity from TA547 has spiked nearly 30 percent in the last six months, researchers found.

TA544 is also in the malware business but also uses other payloads and primarily attacks targets in Italy and Japan. Researchers have observed the group distributing Ursnif and Dridex trojans, sending upwards of 8 million malicious messages in the last six months, according to Proofpoint.

Another group affiliated with ransomware gangs is TA571, which Proofpoint has tracked since 2019. The threat actor distributes Ursnif, ZLoader and Danabot banking malware, using legitimate file-hosting services or compromised or spoofed infrastructure for payload hosting.

Tracked since June 2020, TA574 is a group of “high-volume cybercrime threat actors” that’s been seen distributing more than 1 million malicious emails over the last six months that attempt to deliver and install malware, including Zloader via malicious Office attachments, according to the report.

Finally, TA575 is a Dridex affiliate tracked by Proofpoint since late 2020 that distributes malware via malicious URLs, Office attachments and password-protected files, on average distributing about 4,000 emails per campaign to hundreds or organizations.

Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free!

Suggested articles