A new initial access broker named Zebra2104, has been providing entry points to ransomware groups such as MountLocker and Phobos, as well as espionage-related advanced persistent threat group StrongPity, with access prices starting at just $25, according to a new report. Zebra2104 enters a victim’s network and sells that access to the highest bidder on underground forums in the dark web. This process saves threat actor customers the time, effort, and expense of gaining a toehold in an organization's network themselves. "The winning bidder will often deploy ransomware and/or other financially motivated malware within the victim’s organization, depending on the objectives of their campaign, which can be anything from ransomware to info stealing malware, and everything in between," the researchers note.
The researchers estimate the price of access to range from as little as $25 to thousands of dollars. "Typically, the more annual revenue that the target organization generates, the higher the price an initial access broker charges for access,” they stated. Collaboration among threat actors has been on the rise in the past few years, and will only continue to increase, according to the lab manager at cyberthreat information and analysis intelligence platform Blueliv (owned by cybersecurity firm Outpost24). As cybersecurity diversifies, so will the expertise of different threat actors, they add.
Brokers or middlemen selling access to the highest bidder are likely to be working with different threat groups with multiple motivations, capabilities and resources, says a threat researcher at security firm Digital Shadows. "The access sold can be used by bad actors to conduct threat hunting operations and may unveil complex infrastructure that could be reused by various threat groups," a researcher said. "At the end analyzing patterns of initial access brokers can often shed light on the working habits of various threat actors and their favorite tactics, techniques, and procedures."
The research began with the investigation of the domain trashborting[.]com, which serves Cobalt Strike Beacons. The researchers also identified multiple other beacons, containing differing configuration data, reaching out to the same domain. "One such beacon served from the IP 87.120.37[.]120 had trashborting[.]com specified as the C2 server in its configuration. The domain trashborting[.]com had previously resolved to this IP address, as well as the neighboring IP 87.120.37[.]119," the researchers report. These IP addresses hosted two domains with the .us Top Level Domain, which are lionarivv[.]us and okergeeliw[.]us. "We discovered that both of these domains were registered on 2020-09-12 by the email address georgesdesjardins285[at]xperi[.]link. By digging into the domain registrant information, we found that this email address had registered eight additional .us domains on the same date," the researchers note. "Two domains of particular interest to us were kavamennci[.]us and zensingergy[.]us. These were involved in a phishing campaign targeting Australian real estate companies and state government departments in September of 2020," they add.
An analysis of one of the spam emails showed that it came from the kavamennci[.]us domain appeared to target employees at an Australian property firm, and the title of the email - Your Transaction was Approved 697169IR54253 - contained an embedded hyperlink that decoded to “hxxps[:]//mail[.]premiumclube[.]org[.]br/zpsxxla[.]php.
The researchers also reported another spam email, directed to an Australian government agency, titled Payment Notification-0782704YX50906. It was sent from an address originating from the "zensingergy[.]us" domain and contained an embedded link: hxxps[:]//magesty[.]in-expedition[.]com/zxlbw[.]php. The last portions of the embedded malicious links - zpsxxla[.]php and zxlbw[.]php - were previously mentioned by Microsoft in connection with a September 2020 Dridex campaign. "This is significant because it demonstrates the power of open-source intelligence and threat hunting. Initially, we started off with one domain (trashborting[.]com), which helped us to unravel other threat actors. Although Dridex is not the target of this paper, it is certainly a noteworthy find to mention," the researchers note.
The BlackBerry researchers found that the trashborting.com domain was registered with a ProtonMail email address (ivan[.]odencov1985[at]protonmail[.]com) and contained Russian registrant information. The same email address was also used to register two sister domains supercombinating.com and mentiononecommon.com, which also serves the Cobalt Strike Beacon.
Security firm Sophos also listed supercombinating[.]com as an indicator of compromise in March 2021. Researchers further traced the campaign to an IOC of MountLocker group, a financially motivated threat group that offers a ransomware-as-a-service model, active since July 2020. The same month, Sophos linked the MountLocker ransomware to the AstroLocker team. "It’s possible that this group is trying to shed any notoriety or baggage that it had garnered through its previous malicious activities," the researchers note. "At this point, we noticed that supercombinating[.]com had also resolved to the IP address 91.92.109[.]174, which itself had hosted the domain mentiononecommon[.]com. Both domains resolved to this IP in an alternating fashion between April and November of 2020."
During OSINT analysis, the researchers linked mentiononecommon[.]com with an APT group called StrongPity, aka Promethium. The group has been operational since 2012 and has been linked to espionage campaigns that targeted the Kurdish community as well as the Turkish military. The researchers additionally found that the domain mentiononecommon[.]com was registered to the email address timofei66[at]protonmail[.]com, which also has registrant information pointing to Russia. "At this point, we started to suspect that MountLocker and StrongPity may have worked together in some capacity. This theory seemed unlikely, as their motivations did not appear to align. Despite the improbability of the hypothesis, we set out to see whether we could prove it, and we stumbled upon yet another curious find," the researchers note.
Citing a tweet from a Digital Forensics and Incident Response report, the researchers say that in several attacks, although the ransomware deployed was from supercombinating[.]com, it was not MountLocker's, but Phobos' work. The BlackBerry researchers confirmed the theory in this Any.Run sandbox report. Phobos is a ransomware variant that was first seen in early 2019 and thought to be based on the Dharma ransomware family, the researchers say. "Unlike a lot of other ransomware operators that cast for larger 'whale'-sized organizations, Phobos has been seen angling for small-to-medium-sized organizations across a variety of industries, with its average ransom payment received being around $54,000 in July of 2021," the researchers stated.
Based on several factors discussed in this research paper, the researchers conclude that the infrastructure used in the analyzed attacks is not that of StrongPity, MountLocker, or Phobos, but of a fourth group that facilitated the operations of the former three, either by providing initial access or by providing infrastructure-as-a-service.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings