Home / Industry

Blurring the Lines between APTs and Cybercrime: Cobalt Mirage Uses Ransomware to Target U.S. Organizations

In the past, security experts typically made a distinction between a cybercrime and an advanced persistent threat (APT). While cybercrime focused on obtaining financial gain, APTs trailed their sights on specific organizations, often to steal nation-state secrets. Cobalt Mirage recently seems to have blurred the lines with recent attacks on U.S.-based targets using BitLocker and DiskCryptor.

In an effort to keep organizations safe through transparency, we delved deeper into the threat to identify more artifacts that could put them at risk. Our analysis revealed:

  • Three unredacted email addresses used to register some of the domains (11 in total) AlienVault identified as indicators of compromise (IoCs)
  • 72 domains that used the same registrant email addresses
  • 3 IP address resolutions of the domain IoCs
  • 600 domains that shared the domain IoCs’ IP hosts (5 in total)
  • 2 out of the 672 domains found turned out to be malicious
  • 23,875 domains that contained similar strings or string combinations as the domain IoCs, none of which belonged to Microsoft and only two were Symantec-owned, and 1,568 of which were dubbed “malicious”
  • A sample of the additional artifacts obtained from our analysis is available for download from our website.

    What the Public Knows So Far

    SecureWorks researchers uncovered the threat earlier this month and, like AlienVault, publicized domain names as IoCs. AlienVault also identified two IP addresses as IoCs.

    Domain IoCsIP Address IoCs
    winstore[.]us
    update[.]us
    tcp443[.]org
    symantecserver[.]co
    service-management[.]tk
    onedriver-srv[.]ml
    newdesk[.]top
    my-logford[.]ml
    msupdate[.]us
    microsoft-updateserver[.]cf
    aptmirror[.]eu
    198[.]12[.]65[.]175
    107[.]173[.]231[.]114

    SecureWorks also went on to identify the ransomware variants Cobalt Mirage used in their attacks—BitLocker and DiskCryptor. BitLocker is a built-in Microsoft encryption feature that cybercriminals abused to lock targets out of their systems in November 2021. DiskCryptor, meanwhile, is an open-source encryption tool also compromised by cybercriminals to launch what came to be known as Mamba ransomware attacks in April 2021.

    What Our Deep Dive Revealed

    Using the publicized IoCs as jump-off points, we began by subjecting the 11 domain IoCs to a bulk WHOIS lookup, which led to the discovery of three unredacted email addresses. Subjecting those registrant email addresses to historical reverse WHOIS searches let us uncover 72 domains.

    Reverse IP lookups for five IP addresses (2 identified by AlienVault as IoCs and 3 revealed by DNS lookups for the additional 72 domains) that played host to the domain IoCs provided an additional 600 domains. Interestingly, one of the three additional IP hosts we uncovered—54[.]39[.]78[.]148—seemed to be a dedicated IP address.

    A bulk malware check on the Threat Intelligence Platform on all the additional domains and IP addresses identified through our analysis showed that organizations should probably block access to and from two specific domains—001lab[.]com and agrisecurv-supc[.]ml—as they have been dubbed “malicious” by various malware engines.

    What Else Can Put Organizations at Risk?

    Screenshot lookups for the domain IoCs showed that one remained accessible—my-logford[.]ml. A side-by-side comparison with the official Windows Server Internet Information Services (IIS) site—iis[.]net—shows they do not even remotely look alike.

    A closer look at the domain IoCs also showed close ties to known Microsoft brands like Windows, OneDrive, and Microsoft. One also seemed to be mimicking U.S.-based security solution provider Symantec. Using the strings and string combinations “win + store,” “onedrive,” “ms + update,” “microsoft + update,” and “symantec” as Domains & Subdomains Discovery search terms, we identified 23,875 additional domain artifacts. Note, though, that there may be a number of false positives given short strings like “win” and “ms.”

    None of the 22,280 domains carrying Microsoft-owned brands actually belonged to the company based on the details on their WHOIS records. In addition, only two out of the 1,595 web properties containing Symantec’s name were under its control. A bulk malware check also showed that 1,568 of them were malicious.


    Organizations should avoid accessing any of the 1,570 domains identified as malware hosts to avoid joining the slew of Cobalt Mirage victims to date. And given the recent change in APT groups’ modus operandi—adding the use of cybercrime tools into the mix—monitoring emerging threat trends is also necessary.

    If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

    NORDVPN DISCOUNT - CircleID x NordVPN
    Get NordVPN  [74% +3 extra months, from $2.99/month]
    By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

    Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

    Visit Page

    Filed Under

    Comments

    Commenting is not available in this channel entry.
    CircleID Newsletter The Weekly Wrap

    More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

    Related

    Topics

    Cybersecurity

    Sponsored byVerisign

    IPv4 Markets

    Sponsored byIPv4.Global

    DNS

    Sponsored byDNIB.com

    Brand Protection

    Sponsored byCSC

    Domain Names

    Sponsored byVerisign

    Threat Intelligence

    Sponsored byWhoisXML API

    New TLDs

    Sponsored byRadix