Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime

Ransomware Actors May Have a New Broker on the Block

Broker Offers Initial Access to Victim's Network for Prices Starting at $25
Ransomware Actors May Have a New Broker on the Block
Malspam distribution (Image Source: BlackBerry)

A new initial access broker, dubbed Zebra2104, has been providing entry points to ransomware groups such as MountLocker and Phobos, as well as espionage-related advanced persistent threat group StrongPity, with access prices starting at just $25, according to a new report.

See Also: Beating the Business of Ransomware

Zebra2104 gains entry into a victim’s network and sells that access to the highest bidder on underground forums in the dark web, according to the BlackBerry Research and Intelligence Team. This process saves threat actor customers the time, effort and expense of gaining a toehold in an organization's network themselves (see: Ransomware's Helper: Initial Access Brokers Flourish).

"The winning bidder will often deploy ransomware and/or other financially motivated malware within the victim’s organization, depending on the objectives of their campaign, which can be anything from ransomware to info-stealing malware, and everything in between," the BlackBerry researchers note.

The researchers estimate the price of access to range from as little as $25 to thousands of dollars. "Typically, the more annual revenue that the target organization generates, the higher the price an initial access broker charges for access,” they say.

Collaboration among threat actors has been on the rise in the past few years, and will only continue to increase, according to Victor Acin, labs manager at cyberthreat information and analysis intelligence platform Blueliv (owned by cybersecurity firm Outpost24). As cybersecurity diversifies, so will the expertise of different threat actors, he adds.

By indiscriminately selling access to the highest bidder, initial access brokers likely end up working with different threat groups with varying motivations, capabilities and resources, says Stefano De Blasi, a threat researcher at security firm Digital Shadows.

"The access sold can be used by bad actors to conduct threat hunting operations and may unveil complex infrastructure that could be reused by various threat groups," De Blasi tells Information Security Media Group. "In the end," De Blasi concludes, "analyzing patterns of initial access brokers can often shed light on the working habits of various threat actors and their favorite tactics, techniques and procedures."

Critical Findings

The research began with the investigation of the domain trashborting[.]com, which serves Cobalt Strike Beacons. The BlackBerry researchers also identified multiple other beacons, containing differing configuration data, reaching out to the same domain.

"One such beacon served from the IP 87.120.37[.]120 had trashborting[.]com specified as the C2 server in its configuration. The domain trashborting[.]com had previously resolved to this IP address, as well as the neighboring IP 87.120.37[.]119," the BlackBerry researchers report.

These IP addresses hosted two domains with the .us Top Level Domain, which are lionarivv[.]us and okergeeliw[.]us.

"We discovered that both of these domains were registered on 2020-09-12 by the email address georgesdesjardins285[at]xperi[.]link. By digging into the domain registrant information, we found that this email address had registered eight additional .us domains on the same date," the BlackBerry researchers note.

"Two domains of particular interest to us were kavamennci[.]us and zensingergy[.]us. These were involved in a phishing campaign targeting Australian real estate companies and state government departments in September of 2020," they add.

An analysis of one of the spam emails showed that it came from the kavamennci[.]us domain, appeared to target employees at an Australian property firm, and the title of the email - Your Transaction was Approved 697169IR54253 - contained an embedded hyperlink that decoded to “hxxps[:]//mail[.]premiumclube[.]org[.]br/zpsxxla[.]php.

The BlackBerry researchers also reported another spam email, directed to an Australian government agency, titled Payment Notification-0782704YX50906. It was sent from an address originating from the "zensingergy[.]us" domain and contained an embedded link: hxxps[:]//magesty[.]in-expedition[.]com/zxlbw[.]php.

Interestingly, the last portions of the embedded malicious links - zpsxxla[.]php and zxlbw[.]php - were previously mentioned by Microsoft in connection with a September 2020 Dridex campaign.

"This is significant because it demonstrates the power of open-source intelligence and threat hunting. Initially, we started off with one domain (trashborting[.]com), which helped us to unravel other threat actors. Although Dridex is not the target of this paper, it is certainly a noteworthy find to mention," the BlackBerry researchers note.

MountLocker Group

The BlackBerry researchers found that the trashborting.com domain was registered with a ProtonMail email address (ivan[.]odencov1985[at]protonmail[.]com) and contained Russian registrant information. The same email address was also used to register two sister domains supercombinating.com and mentiononecommon.com, which also serve the Cobalt Strike beacon.

Security firm Sophos also listed supercombinating[.]com as an indicator of compromise in March 2021. The Sophos researchers further traced the campaign to an IOC of MountLocker group, a financially motivated threat group that offers a ransomware-as-a-service model, active since July 2020 (see: New Business Model: White Labeling of Ransomware).

The same month, Sophos linked the MountLocker ransomware to the AstroLocker team.

"It’s possible that this group is trying to shed any notoriety or baggage that it had garnered through its previous malicious activities," the BlackBerry researchers note. "At this point, we noticed that supercombinating[.]com had also resolved to the IP address 91.92.109[.]174, which itself had hosted the domain mentiononecommon[.]com. Both domains resolved to this IP in an alternating fashion between April and November of 2020."

Links With APT Group

During OSINT analysis, the BlackBerry researchers linked mentiononecommon[.]com with an APT group called StrongPity, aka Promethium. The group has been operational since 2012 and has been linked to espionage campaigns that targeted the Kurdish community as well as the Turkish military (see: Mercenary Hacking Group Deploys Android Malware).

The BlackBerry researchers found that the domain mentiononecommon[.]com was registered to the email address timofei66[at]protonmail[.]com, which also has registrant information pointing to Russia.

"At this point, we started to suspect that MountLocker and StrongPity may have worked together in some capacity. This theory seemed unlikely, as their motivations did not appear to align. Despite the improbability of the hypothesis, we set out to see whether we could prove it, and we stumbled upon yet another curious find," the BlackBerry researchers note.

Citing a tweet from a Digital Forensics and Incident Response report, the researchers say that in several attacks, although the ransomware deployed was from supercombinating[.]com, it was not MountLocker's, but Phobos' work. The BlackBerry researchers confirmed the theory in this Any.Run sandbox report.

Phobos is a ransomware variant that was first seen in early 2019 and thought to be based on the Dharma ransomware family, the BlackBerry researchers say. "Unlike a lot of other ransomware operators that cast for larger 'whale'-sized organizations, Phobos has been seen angling for small-to-medium-sized organizations across a variety of industries, with its average ransom payment received being around $54,000 in July of 2021," the researchers note.

Based on several factors discussed in the paper, the BlackBerry researchers conclude that the infrastructure used in the analyzed attacks is not that of StrongPity, MountLocker or Phobos, but of a fourth group that facilitated the operations of the former three, either by providing initial access or by providing infrastructure-as-a service.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.