phobos - X-Industry - Red Sky Alliance2024-03-29T05:55:40Zhttps://redskyalliance.org/xindustry/feed/tag/phobosWeekly Cyber Intel Report - All Sectorhttps://redskyalliance.org/xindustry/weekly-cyber-intel-report-all-sector2021-12-10T13:31:42.000Z2021-12-10T13:31:42.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><h2><a href="{{#staticFileLink}}9899649489,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9899649489,RESIZE_400x{{/staticFileLink}}" width="250" alt="9899649489?profile=RESIZE_400x" /></a>Activity Summary - Week Ending on 10 December 2021:</h2>
<ul>
<li>Red Sky Alliance identified 44,043 connections from new IP’s checking in with our Sinkholes</li>
<li>dauction.ru Still has Issues</li>
<li>Analysts identified 3,806 new IP addresses participating in various Botnets</li>
<li>Phobos Ransomware</li>
<li>Yanluowang Ransomware</li>
<li>The Snatch Hacking Group</li>
<li>USB drives – Old Tactic</li>
<li>Hacker arrested in Ottawa</li>
<li>Becoming a Pro</li>
<li>Trains, Planes and Automobiles</li>
<li>MatchMG</li>
</ul>
<p>Link to full report: <a href="{{#staticFileLink}}9899649655,original{{/staticFileLink}}">IR-21-344-001_weekly344.pdf</a></p></div>Broker Offers Network Access for Only $25https://redskyalliance.org/xindustry/broker-offers-network-access-for-only-252021-11-19T01:47:15.000Z2021-11-19T01:47:15.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}9822927285,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9822927285,RESIZE_400x{{/staticFileLink}}" width="250" alt="9822927285?profile=RESIZE_400x" /></a>A new initial access broker named Zebra2104, has been providing entry points to ransomware groups such as MountLocker and Phobos, as well as espionage-related advanced persistent threat group StrongPity, with access prices starting at just $25, according to a new report. Zebra2104 enters a victim’s network and sells that access to the highest bidder on underground forums in the dark web. This process saves threat actor customers the time, effort, and expense of gaining a toehold in an organization's network themselves. "The winning bidder will often deploy ransomware and/or other financially motivated malware within the victim’s organization, depending on the objectives of their campaign, which can be anything from ransomware to info stealing malware, and everything in between," the researchers note.</p>
<p>The researchers estimate the price of access to range from as little as $25 to thousands of dollars. "Typically, the more annual revenue that the target organization generates, the higher the price an initial access broker charges for access,” they stated. Collaboration among threat actors has been on the rise in the past few years, and will only continue to increase, according to the lab manager at cyberthreat information and analysis intelligence platform Blueliv (owned by cybersecurity firm Outpost24). As cybersecurity diversifies, so will the expertise of different threat actors, they add.</p>
<p>Brokers or middlemen selling access to the highest bidder are likely to be working with different threat groups with multiple motivations, capabilities and resources, says a threat researcher at security firm Digital Shadows. "The access sold can be used by bad actors to conduct threat hunting operations and may unveil complex infrastructure that could be reused by various threat groups," a researcher said. "At the end analyzing patterns of initial access brokers can often shed light on the working habits of various threat actors and their favorite tactics, techniques, and procedures."</p>
<p>The research began with the investigation of the domain trashborting[.]com, which serves Cobalt Strike Beacons. The researchers also identified multiple other beacons, containing differing configuration data, reaching out to the same domain. "One such beacon served from the IP 87.120.37[.]120 had trashborting[.]com specified as the C2 server in its configuration. The domain trashborting[.]com had previously resolved to this IP address, as well as the neighboring IP 87.120.37[.]119," the researchers report. These IP addresses hosted two domains with the .us Top Level Domain, which are lionarivv[.]us and okergeeliw[.]us.<a href="#_ftn1">[1]</a> "We discovered that both of these domains were registered on 2020-09-12 by the email address georgesdesjardins285[at]xperi[.]link. By digging into the domain registrant information, we found that this email address had registered eight additional .us domains on the same date," the researchers note. "Two domains of particular interest to us were kavamennci[.]us and zensingergy[.]us. These were involved in a phishing campaign targeting Australian real estate companies and state government departments in September of 2020," they add.</p>
<p>An analysis of one of the spam emails showed that it came from the kavamennci[.]us domain appeared to target employees at an Australian property firm, and the title of the email - Your Transaction was Approved 697169IR54253 - contained an embedded hyperlink that decoded to “hxxps[:]//mail[.]premiumclube[.]org[.]br/zpsxxla[.]php.</p>
<p>The researchers also reported another spam email, directed to an Australian government agency, titled Payment Notification-0782704YX50906. It was sent from an address originating from the "zensingergy[.]us" domain and contained an embedded link: hxxps[:]//magesty[.]in-expedition[.]com/zxlbw[.]php. The last portions of the embedded malicious links - zpsxxla[.]php and zxlbw[.]php - were previously mentioned by Microsoft in connection with a September 2020 Dridex campaign. "This is significant because it demonstrates the power of open-source intelligence and threat hunting. Initially, we started off with one domain (trashborting[.]com), which helped us to unravel other threat actors. Although Dridex is not the target of this paper, it is certainly a noteworthy find to mention," the researchers note.</p>
<p>The BlackBerry researchers found that the trashborting.com domain was registered with a ProtonMail email address (ivan[.]odencov1985[at]protonmail[.]com) and contained Russian registrant information. The same email address was also used to register two sister domains supercombinating.com and mentiononecommon.com, which also serves the Cobalt Strike Beacon.</p>
<p>Security firm Sophos also listed supercombinating[.]com as an indicator of compromise in March 2021. Researchers further traced the campaign to an IOC of MountLocker group, a financially motivated threat group that offers a ransomware-as-a-service model, active since July 2020. The same month, Sophos linked the MountLocker ransomware to the AstroLocker team. "It’s possible that this group is trying to shed any notoriety or baggage that it had garnered through its previous malicious activities," the researchers note. "At this point, we noticed that supercombinating[.]com had also resolved to the IP address 91.92.109[.]174, which itself had hosted the domain mentiononecommon[.]com. Both domains resolved to this IP in an alternating fashion between April and November of 2020."</p>
<p>During OSINT analysis, the researchers linked mentiononecommon[.]com with an APT group called StrongPity, aka Promethium. The group has been operational since 2012 and has been linked to espionage campaigns that targeted the Kurdish community as well as the Turkish military. The researchers additionally found that the domain mentiononecommon[.]com was registered to the email address timofei66[at]protonmail[.]com, which also has registrant information pointing to Russia. "At this point, we started to suspect that MountLocker and StrongPity may have worked together in some capacity. This theory seemed unlikely, as their motivations did not appear to align. Despite the improbability of the hypothesis, we set out to see whether we could prove it, and we stumbled upon yet another curious find," the researchers note.</p>
<p>Citing a tweet from a Digital Forensics and Incident Response report, the researchers say that in several attacks, although the ransomware deployed was from supercombinating[.]com, it was not MountLocker's, but Phobos' work. The BlackBerry researchers confirmed the theory in this Any.Run sandbox report. Phobos is a ransomware variant that was first seen in early 2019 and thought to be based on the Dharma ransomware family, the researchers say. "Unlike a lot of other ransomware operators that cast for larger 'whale'-sized organizations, Phobos has been seen angling for small-to-medium-sized organizations across a variety of industries, with its average ransom payment received being around $54,000 in July of 2021," the researchers stated. </p>
<p>Based on several factors discussed in this research paper, the researchers conclude that the infrastructure used in the analyzed attacks is not that of StrongPity, MountLocker, or Phobos, but of a fourth group that facilitated the operations of the former three, either by providing initial access or by providing infrastructure-as-a-service.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.bankinfosecurity.com/ransomware-actors-may-have-new-broker-on-block-a-17865">https://www.bankinfosecurity.com/ransomware-actors-may-have-new-broker-on-block-a-17865</a></p></div>Do you know where your Bitcoins are Today?https://redskyalliance.org/xindustry/do-you-know-where-your-bitcoins-are-today2021-05-26T21:07:51.000Z2021-05-26T21:07:51.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><a href="{{#staticFileLink}}8989703898,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8989703898,RESIZE_400x{{/staticFileLink}}" width="250" alt="8989703898?profile=RESIZE_400x" /></a>A new information stealer is going after cryptocurrency wallets and credentials for applications including NordVPN, Telegram, Discord, and Steam. <a href="https://www.trendmicro.com/en_us/research/21/e/new-panda-stealer-targets-cryptocurrency-wallets-.html">Panda Stealer</a> malware uses spam emails and the same hard-to-detect fileless distribution method deployed by a recent <a href="https://blog.morphisec.com/the-fair-upgrade-variant-of-phobos-ransomware">Phobos</a> ransomware campaign discovered by investigators.</p>
<p>The attack campaign appears to be primarily targeting users in Australia, Germany, Japan, and the United States. Panda Stealer was discovered by <a href="https://www.trendmicro.com/en_us/research/21/e/new-panda-stealer-targets-cryptocurrency-wallets-.html">Trend Micro</a> at the beginning of April 2021. Threat researchers have identified two infection chains being used by the campaign. Analysts said: "In one, an .XLSM attachment contains macros that download a loader, then the loader downloads and executes the main stealer. </p>
<p>"The other infection chain involves an attached .XLS file containing an Excel formula that utilizes a PowerShell command to access paste.ee, a Pastebin alternative, that accesses a second encrypted PowerShell command." Once installed, Panda Stealer can collect details like private keys and records of past transactions from its victim’s various digital currency wallets, including Dash, Bytecoin, Litecoin, and Ethereum.</p>
<p>Panda has other uses, such as the ability to take screenshots of the infected computer and the power to exfiltrate data from browsers, like cookies, passwords, and cards. Researchers linked the campaign to an IP address assigned to a virtual private server rented from Shock Hosting. Shock Hosting said that the server assigned to this address has been suspended. </p>
<p>Panda Stealer was determined to be a variant of Collector Stealer, cracked by Russian threat actor NCP, also known as su1c1de. "Because the cracked Collector Stealer builder is openly accessible online, cybercriminal groups and script kiddies alike can use it to create their own customized version of the stealer and C&C panel," noted researchers. CollectorStealer (also known as DCStealer) is malicious software which allows cyber criminals to steal various sensitive information (e.g. passwords, credit card details) and files. This malware is for sale on a hacker forum for $12 or $75 (depending on the subscription type). It is advertised on the aforementioned forum as a "top-end information stealer" with a Russian interface.</p>
<p>While the stealers behave similarly, they have different command and control server URLs, build tags, and execution folders. When analyzing the different types of attacks analysts detected across seven million enterprise endpoints over the last 12 months. Researchers found that infostealers made up the highest percentage of attempted endpoint attacks (31%). </p>
<p>Red Sky Alliance has been has analyzing and documenting cyber threats and groups for over 9 years and maintains a resource library of malware and cyber actor reports available at <a href="https://redskyalliance.org/">https://redskyalliance.org</a> at no charge. Many past tactics are reused in current malicious campaigns.</p>
<p>To protect your own supply chain, consider subscribing to RedXray, Red Sky Alliance’s cyber threat notification service. Details can be found at: <a href="https://www.wapacklabs.com/redxray">https://www.wapacklabs.com/redxray</a>.</p>
<p><br /> Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at <a>1-844-492-7225</a>, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p><br /> </p>
<p><strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<p><br /> Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a><br /> Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </p>
<p><br /> <strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<p><br /> REDSHORTS - Weekly Cyber Intelligence Briefings<br /> <a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p> </p>
<p><a href="{{#staticFileLink}}8989705655,original{{/staticFileLink}}">TR-21-146-001_Bitcoin.pdf</a></p>
<p> </p>
<p><a href="https://www.infosecurity-magazine.com/news/panda-stealer-targets-crypt">https://www.infosecurity-magazine.com/news/panda-stealer-targets-crypt</a></p></div>