Suspected Threat Actors: APT35
The Iranian government-linked threat actor group APT35 is leveraging a legitimate function from messaging platform Telegram to track when its phishing pages have been visited by potential victims. The threat actor group used the sendMessage Telegram API function to track this information. The threat actor group used this function to relay device-based data to the Telegram channel such as IP, user agent, and locales of visitors to their phishing sites to observe in real-time.
In early 2021, APT35 also leveraged a compromised website affiliated with a UK university to host a phishing kit and send email messages with links to this website to harvest credentials for platforms such as Gmail, Hotmail, and Yahoo.
As per researchers, APT35 has leveraged this technique since at least 2017 – targeting diverse and high-value accounts from government, academia, journalism, NGOs, foreign policy, and national security. This type of credential harvesting phishing attack via a compromised website demonstrates these threat actors are willing to go to great lengths to appear legitimate and eventually achieve their objective.
The CISA (Cybersecurity and Infrastructure Security Agency), the FBI (Federal Bureau of Investigation), and the NSA (National Security Agency) published a joint advisory to warn organizations of an intensified threat posed by the BlackMatter ransomware gang.
According to the joint advisory, the BlackMatter ransomware has targeted multiple critical infrastructure entities in the United States, including two organizations in the food and agriculture sector.
In a BlackMatter attack, the ransomware operators leverage compromised credentials and abuse the SMB (Server Message Block) and LDAP (Lightweight Directory Access Protocol) protocol to access an organization’s AD (Active Directory) and compromise all hosts and shared drives on the network.
BlackMatter operators use an encryption binary exclusively for Linux-based machines and regularly encrypt ESXi virtual machines. Rather than encrypting backup systems, BlackMatter actors wipe out or reformat backup data stores and appliances.
Legitimate tools and attacker-created accounts are abused for remote, persistent access to the compromised environment, and the threat actors also attempt to exfiltrate the victim’s data to leverage for extortion.
To mitigate the threat posed by BlackMatter and other ransomware families, organizations of all types are directed to implement detection signatures, implement multi-factor authentication, use strong passwords on all accounts, restrict user access to resources, keep systems updated, and use firewalls and implement network segmentation.
Researchers have found a relatively new ransomware operation that appears to be inspired by franchise business models. While investigating the XingLocker ransomware group, the operators were seen using the RaaS in form of a “supplier”. By rebranding the ransomware before deployment of actual parent RaaS instead of just distributing the ransomware under the original parent name. Researchers observed the XingLocker ransomware family in itself a re-branded version of the Mount Locker. Separate research published in March 2021 already showcased linkage between the Mount Locker and another ransomware group called AstroLocker. Extending upon previous work, researchers were able to infer that the XingLocker team is yet another Mount Locker franchise. The XingLocker ransomware group used different onion addresses for each victim, however, Instead of setting up multiple servers, the XingLocker ransomware group leveraged multiple addresses pointing to the same server. By analyzing HTTP requests made to this server, researchers uncovered directories that held data from organizations victimized by another group — AstroLocker Team. They believe that the new “franchise” RaaS model involves XingLocker, AstroLocker, and Mount Locker with the main RaaS being the Mount Locker and allowing affiliates to license the ransomware under their name and brand.
While this new mechanics of share infrastructure may not be considered sophisticated, it holds importance as ransomware groups are constantly looking for new ways to make their affiliate programs and RaaS operations profitable.
From a defender’s standpoint, this form of shared infrastructure and code may present complexity in investigation and effective detections. It is further going to grossly complicate things as it is uncommon to find one ransomware sample being detected as another or observe two different onion addresses point to the same onion service but used by different ransomware groups altogether. Therefore, it becomes extremely important for defenders to be aware of these factors when dealing with ransomware.
This new style of ransomware operations appears to provide more flexibility and recognition to the affiliates. However, it also means less brand recognition for the specific ransomware resulting in victims being less inclined to comply with the ransom demand.
North-Korean Threat Actor – Lazarus Group is continuing to evolve their techniques, and attack methods while carrying out a suspected campaign – Operation AppleJeus.
Based on our research and analysis of Operation AppleJeus, CYFIRMA researchers have observed the following:
The primary motive behind the campaign appears to be the theft of sensitive information for financial gain.