A new report from BlackBerry has uncovered an early access broker called “Zebra2104” which has connections to three groups of malicious cybercriminals, some of whom are involved in ransomware and phishing.
The BlackBerry Research & Intelligence team discovered that Zebra2104 provided entry points for ransomware groups such as MountLocker and Phobos, as well as StrongPity APT. Access was provided to a number of businesses in Australia and Turkey that had been compromised.
APT StrongPity targeted Turkish healthcare companies as well as small businesses. BlackBerry said from their research they believed that the access broker “is very manpowered or that they have set up large” hidden “traps on the Internet.
The report says their investigation led them to believe that the MountLocker ransomware group had worked with StrongPity, a 2012 APT group that some believed was a Turkish state-sponsored group.
“While it may seem unlikely that criminal groups would share resources, we found that these groups had a fourth-activated connection; a threat actor we’ve dubbed Zebra2104, which we believe to be an Initial Access Broker (IAB). is undoubtedly a veritable cornucopia of threat groups working together, far beyond those mentioned in this blog, ”the researchers said, noting that they discovered the group while researching a book on Cyber Threat Intelligence.
“This unique domain led us down a path where we would uncover multiple ransomware attacks and a command and control (C2) APT. The path also revealed what we believe to be the infrastructure of an IAB – Zebra2104. IABs typically gain entry into a victimized network and then sell that access to the highest bidder on underground forums located in the dark web. Later, the winning bidder will deploy ransomware and / or other financially motivated malware within of the victim’s organization, depending on the objectives of his campaign. ”
Their research began in April 2021, when they uncovered curious behavior from domains previously identified in a Microsoft report on servers that “served malspam that resulted in various ransomware payloads, like Dridex, which we were able to corroborate.” .
A few of the domains had been involved in a phishing campaign that targeted Australian state government departments as well as real estate companies there in September 2020. With the help of other reports from Microsoft, the researchers were able to trace the campaigns to an indicator of compromise from a MountLocker intrusion.
Sophos has speculated that the MountLocker group has links to, or in fact has become, the recently emerged AstroLocker group. This is because one of the group’s ransomware binaries has been linked to an AstroLocker support site. It is possible that this group is trying to lose any notoriety or any baggage it had acquired during its previous malicious activities, ”added the report after explaining a number of technical links between the two groups.
The BlackBerry Research & Intelligence team then used information from the WHOIS registrant and other data that led them to uncover links between the Phobos ransomware and MountLocker.
“This new information presented a bit of a conundrum. If MountLocker owned the infrastructure, then there would be a slim chance that another ransomware operator would work from it as well (although this has happened before). In several cases, there has been a delay between an initial compromise using Cobalt Strike and other ransomware being deployed. Based on these factors, we can infer that the infrastructure is not that from StrongPity, MountLocker or Phobos, but from a fourth group that facilitated the operations of the first three, either by providing initial access or by providing infrastructure as a service (IaaS), ”the report says.
“An IAB is the first step in the destruction chain for many attacks; that is, they gain access to a victim’s network through exploitation, phishing, or other means. Once they gain a foothold (i.e. a reliable backdoor into the victims’ network), they then list their access to clandestine forums on the dark web, advertising their products in the web. hope to find a potential buyer. The price of access ranges from $ 25 to thousands of dollars. ”
Many IABs base their price on the annual revenue generated by the victim organization, creating an auction system that allows any group to deploy what they want.
“It can be anything from ransomware to infostealers and everything in between. We believe our three threat actors – MountLocker, Phobos, and StrongPity, in this case – have gained their access through these means,” explained the BlackBerry Research & Intelligence team.
The report notes that the domains were resolved to IP addresses provided by the same Bulgarian ASN, Neterra LTD. While wondering if the access broker was based in Bulgaria, they assumed the business was simply operating.
The researchers said the “interconnected malicious infrastructure network” described throughout the report shows that cybercriminal groups mirror the business world in that they are run like multinational corporations.
“They are forming partnerships and alliances to help advance their nefarious goals. On the contrary, it is safe to assume that these” business partnerships “will become even more prevalent in the future,” the researchers said.
“To counter this, it is only through tracking, documenting and sharing intelligence about these groups (and many others) that the broader security community can monitor and defend against them. This cooperation will continue to deepen our collective understanding of how cybercriminals operate. If the bad guys work together, so should we! “