In the past, security experts typically made a distinction between a cybercrime and an advanced persistent threat (APT). While cybercrime focused on obtaining financial gain, APTs trailed their sights on specific organizations, often to steal nation-state secrets. Cobalt Mirage recently seems to have blurred the lines with recent attacks on U.S.-based targets using BitLocker and DiskCryptor.

In an effort to keep organizations safe through transparency, we delved deeper into the threat to identify more artifacts that could put them at risk. Our analysis revealed:

A sample of the additional artifacts obtained from our analysis is available for download from our website.

What the Public Knows So Far

SecureWorks researchers uncovered the threat earlier this month and, like AlienVault, publicized domain names as IoCs. AlienVault also identified two IP addresses as IoCs.

SecureWorks also went on to identify the ransomware variants Cobalt Mirage used in their attacks—BitLocker and DiskCryptor. BitLocker is a built-in Microsoft encryption feature that cybercriminals abused to lock targets out of their systems in November 2021. DiskCryptor, meanwhile, is an open-source encryption tool also compromised by cybercriminals to launch what came to be known as Mamba ransomware attacks in April 2021.

What Our Deep Dive Revealed

Using the publicized IoCs as jump-off points, we began by subjecting the 11 domain IoCs to a bulk WHOIS lookup, which led to the discovery of three unredacted email addresses. Subjecting those registrant email addresses to historical reverse WHOIS searches let us uncover 72 domains.

Reverse IP lookups for five IP addresses (2 identified by AlienVault as IoCs and 3 revealed by DNS lookups for the additional 72 domains) that played host to the domain IoCs provided an additional 600 domains. Interestingly, one of the three additional IP hosts we uncovered—54[.]39[.]78[.]148—seemed to be a dedicated IP address.

A bulk malware check on the Threat Intelligence Platform on all the additional domains and IP addresses identified through our analysis showed that organizations should probably block access to and from two specific domains—001lab[.]com and agrisecurv-supc[.]ml—as they have been dubbed “malicious” by various malware engines.

What Else Can Put Organizations at Risk?

Screenshot lookups for the domain IoCs showed that one remained accessible—my-logford[.]ml. A side-by-side comparison with the official Windows Server Internet Information Services (IIS) site—iis[.]net—shows they do not even remotely look alike.

A closer look at the domain IoCs also showed close ties to known Microsoft brands like Windows, OneDrive, and Microsoft. One also seemed to be mimicking U.S.-based security solution provider Symantec. Using the strings and string combinations “win + store,” “onedrive,” “ms + update,” “microsoft + update,” and “symantec” as Domains & Subdomains Discovery search terms, we identified 23,875 additional domain artifacts. Note, though, that there may be a number of false positives given short strings like “win” and “ms.”

None of the 22,280 domains carrying Microsoft-owned brands actually belonged to the company based on the details on their WHOIS records. In addition, only two out of the 1,595 web properties containing Symantec’s name were under its control. A bulk malware check also showed that 1,568 of them were malicious.

Organizations should avoid accessing any of the 1,570 domains identified as malware hosts to avoid joining the slew of Cobalt Mirage victims to date. And given the recent change in APT groups’ modus operandi—adding the use of cybercrime tools into the mix—monitoring emerging threat trends is also necessary.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.