Three separate threat groups are all using a common initial access broker (IAB) to enable their cyberattacks, according to researchers – a finding that has revealed a tangled web of related attack infrastructure underpinning disparate (and in some cases rival) malware campaigns.
The BlackBerry Research & Intelligence Team has found that the ransomware groups known as MountLocker and Phobos, as well as the StrongPity advanced persistent threat (APT), have all partnered with an IAB threat actor that BlackBerry has dubbed Zebra2104.
IABs compromise the networks of various organizations through exploitation, credential-stuffing, phishing or other means, then establish persistent backdoors to maintain access. Then, they sell that access to the highest bidder on various Dark Web forums. These “customers” will then use that access to carry out follow-on attacks, such as espionage campaigns, botnet infections or ransomware hits. According to BlackBerry, the price for such access ranges from as little as $25 to thousands of dollars to enter large corporations.
“This discovery presented a great opportunity for us to understand the attribution of IABs,” the firm noted in a posting on Friday. “Performing intelligence correlation can help us build a clearer picture of how these disparate threat groups create partnerships and share resources to further enhance their nefarious goals.”
Interwoven Infrastructure Serves Up Cobalt Strike
The first hint of Zebra2104’s existence came when BlackBerry researchers observed a single web domain (trashborting[.]com) serving Cobalt Strike beacons. Beacons are capable of executing PowerShell scripts, logging keystrokes, taking screenshots, downloading files and spawning other payloads.
The trashborting.com domain had been registered in July 2020 with a ProtonMail email address (ivan.odencov1985[at]protonmail[.]com), which was also used to register two additional sister domains on the same date. One of these, supercombinating[.]com, was listed in March by Sophos as an indicator of compromise (IOC) for the MountLocker ransomware-as-a-service group.
MountLocker, which has been around since July 2020, typically leverages Cobalt Strike beacons to both spread laterally and propagate ransomware within a victim’s network. Sophos researchers had observed supercombinating[.]com as being used as the Cobalt Strike server for one of the group’s campaigns.
BlackBerry researchers then became aware of links to the StrongPity APT, which has been around since 2012, using watering-hole attacks (and employing a combination of imitation websites and redirects) to deliver trojanized versions of various commonly used utilities, like WinRAR, Internet Download Manager and CCleaner.
“We noticed that supercombinating[.]com had also resolved to the IP address 91.92.109[.]174, which itself had hosted the domain mentiononecommon[.]com,” BlackBerry researchers explained. “In June of 2020, Cisco’s Talos Intelligence reported mentiononecommon[.]com as a StrongPity C2 server. The domain also served three files related to StrongPity, one of which was [a] trojanized version of the Internet Download Manager utility.”
But that wasn’t all – a link to the Phobos ransomware also presented itself, in the form of a tweet from The DFIR Report naming supercombinating[.]com as the server in a recent Phobos campaign – a finding that BlackBerry confirmed. Phobos typically goes after small-to-medium-sized organizations across a variety of industries, with its average ransom payment received being around $54,000 in July, analysts noted.
This is what it looks like when actors go hands-on-keyboard for ransomware attacks.
Also related: challparty[.]com https://t.co/WVfKsQYddg
— Paul Melson (@pmelson) August 2, 2020
Also of note: The researchers were also able to link trashborting[.]com to a malicious spam infrastructure previously documented by Microsoft. It’s been involved in Emotet and Dridex campaigns, as well as a September 2020 phishing campaign that targeted Australian entities, both in the governmental and private sector.
Related Threat Groups or Supply-Chain Evidence?
The use of a common infrastructure to support so many disparate activities raised questions for the BlackBerry team, starting with the rival ransomware offerings.
“Were MountLocker and Phobos possibly related? Were two different ransomware groups operating from the same infrastructure?” researchers wondered. “This new information presented a bit of a conundrum. If MountLocker owned the infrastructure, then there would be a slim chance of another ransomware operator also working from it.”
In the case of StrongPity, which specializes in espionage and is likely nation-state backed, the motives don’t align with opportunistic, financially motivated ransomware gangs, adding more head-scratching to the proceedings.
“With three seemingly unrelated threat groups using and sharing overlapping infrastructure, we asked ourselves the question, What is the most plausible explanation for these peculiar links?” researchers said. “We concluded that this was not the work of the three groups together, but of a fourth player; an IAB we dubbed Zebra2104, which provided the initial access into victim environments.”
In support of this theory, BlackBerry pointed out that all of the interrelated domains resolved to IPs that were provided by the same Bulgarian Autonomous System Numbers (ASN), which belongs to Neterra Ltd.
“Neterra isn’t known to be a bulletproof hosting provider; it’s more likely that it’s being abused to facilitate this malicious activity,” according to the report. “The fact that all these IPs are on the same ASN helps us bind together the theory that this is in fact all the work of one threat group, underpinning the operation of the groups it sells its access to.”
Booming Market for Initial Access
It’s likely that Zebra2104 props up many more cyberattack groups than those involved in this initial investigation, especially given that pulling on additional threads of the infrastructure revealed a tangled and widespread apparatus.
For instance, two new domains registered in July (ticket-one-two[.]com and booking-sales[.]com), were seen to resolve to the same IP address as trashborting[.]com (87.120.37[.]120). Further inspection showed that booking-sales[.]com had served “one specific item of note,” according to BlackBerry: A tiny, 13KB portable executable (PE) file that proved to be a shellcode loader. This loader turned out to be loading a shellcode Cobalt Strike DNS stager, which is used to download a Cobalt Strike beacon via DNS TXT records.
In June, Proofpoint reported that at least 10 threat actors are offering initial-access services on the major Dark Web forums, using malicious email links and attachments to implant trojans like TrickBot to establish backdoors. About 20 percent of the malware seen in the first half of 2021 infiltrated networks this way, Proofpoint found.
The trend is not going anywhere, and should be expected to swell going into the new year, BlackBerry warned.
“As we delved into and peeled off each overlapping layer throughout our investigation, it appeared at times that we were merely scratching the surface of such collaborations,” researchers concluded. “There is undoubtedly a veritable cornucopia of threat groups working in cahoots…If anything, it is safe to assume that these threat group ‘business partnerships’ are going to become even more prevalent in future.”
Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, “Password Reset: Claiming Control of Credentials to Stop Attacks,” on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.
Register NOW for the LIVE event and submit questions ahead of time to Threatpost’s Becky Bracken at becky.bracken@threatpost.com.