ThreatConnect Research Roundup: Ryuk, RedDelta, APT34, and APT35

Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).

Note: Viewing the pages linked in this blog post requires a ThreatConnect account. If you don’t have one, please click here to request your free TC Open account.

Roundup Highlight: Probably Ryuk Infrastructure Registered in November 2020

20201201A: Probable Ryuk Infrastructure Registered in November 2020 Through OpenProvider

 

In this Roundup, we highlight Incident 20201201A: Probable Ryuk Infrastructure Registered in November 2020 Through OpenProvider.

ThreatConnect Research identified several probable and possible Ryuk / Wizard Spider / UNC1878 domains registered in November 2020 through OpenProvider that are/were hosted on dedicated servers and, per Censys, used an SSL certificate with subject string “C=, ST=, L=, O=, OU=, CN=”. Those characteristics are consistent with, but not exclusively unique to, previously identified Ryuk infrastructure such as hotlable[.]com, myobtain[.]com, primeviref[.]com, and hunbabe[.]com. The identified domains, current / previous hosting IPs, and related files are listed below.

For the following infrastructure (or other domains registered at the same time) we could identify related Cobalt Strike files and two letter subdomains, therefore we assess that this infrastructure probably is related to Ryuk:

run-upgrade[.]monster (104.168.140[.]127, Cobalt Strike f77a4d35985bee64b7fb67c690f9c859)

run-upgrade[.]xyz (104.168.140[.]208)

u6ycrtduvb6d5rttvub6d5[.]com (104.168.158[.]117, Cobalt Strike c269504162843be868b9f8102b46e68e)

run-tcp[.]net (142.11.214[.]73, Cobalt Strike 973cc77b699c319b451a7b9791aeabea)

run-tcp[.]me (142.11.238[.]241)

run-tcp[.]info (104.168.163[.]221)

run-tcp[.]com (104.168.163[.]168)

domnasemg[.]com (88.119.175[.]250, Cobalt Strike 114666e3228237ed5e873b279e11d5df)

livehealths[.]com (88.119.175[.]132, Cobalt Strike 609200517f090bd818e5f1945579912a)

updsql[.]me (104.238.183[.]41, Cobalt Strike 909c48b6f98a2c0921d058d7b5b57ea1, Cobalt Strike d4043eb1e931281afd0624565ccedaec, 5c472e30e48d9f867f86631e5b8276a4)

x3q24wxc54vd6b5f7[.]best (104.168.144[.]137, Cobalt Strike 1a0ec1567eb2c35a398df91114de6fbd)

service-update[.]net (192.236.147[.]8, Cobalt Strike 0fe3dec5c796c61345bc8fb9a00878ec)

One of the domains, citylifedns[.]com (88.119.171[.]55), is hosted at an IP that hosted previously identified Ryuk domain tiancaii[.]com and also probably is associated with their operations.

For the following domains, we did not identify any related files and assess that they possibly are related to Ryuk:

update-chromeservices[.]com (198.44.14[.]47)

explore-me[.]xyz (192.236.210[.]115)

3bysybsybs54syb44by[.]xyz (104.168.215[.]90)

v2a3t4rb3y5hu6mi67k[.]xyz (104.168.173[.]236)

 

Of note, some of the identified infrastructure has been suspended.

 

ThreatConnect Research Team Intelligence: Items recently created or updated in the ThreatConnect Common Community by our Research Team.

  • 20201201A: Probable Ryuk Infrastructure Registered in November 2020 Through OpenProvider ThreatConnect Research identified several probable and possible Ryuk / Wizard Spider / UNC1878 domains registered in November 2020 through OpenProvider that are/were hosted on dedicated servers and, per Censys, used an SSL certificate with subject string “C=, ST=, L=, O=, OU=, CN=”. Those characteristics are consistent with, but not exclusively unique to, previously identified Ryuk infrastructure.
  • 20201122A: Ryuk Infrastructure Registered on 11/19/20 ThreatConnect Research identified a set of at least seven domain registered through NameCheap on 11/19/20 at essentially the same time and hosted on probable dedicated servers in LiteServer Holding B.V. IP space. Of note, a possible Ryuk / Wizard Spider / UNC1878 domain was previously registered and hosted similarly.
  • 20201126A: Ryuk Infrastructure Registered on 11/14/20 ThreatConnect Research identified a set of at least three most likely Ryuk / Wizard Spider / UNC1878 domains registered at essentially the same time on 11/14/20 through NameCheap and hosted on dedicated servers at Frantech or Leaseweb. Per Censys, an SSL certificate created on 11/24/20 for one of the identified domains uses the same subject string “C=US, ST=TX, L=Texas, O=lol, OU=,” identified in other previous Ryuk registrations.
  • 20201201B: File Matching YARA Rule Associated to RedDelta PlugX ThreatConnect Research identified a RedDelta PlugX binary and extracted Command and Control locations from the embedded configuration.
  • 20201126B: Possible APT34 Domain careers-ntiva[.]com ThreatConnect identified a possible APT34 / OilRig / Helix Kitten domain registered through THCservers on 11/25/20 using ivacareer@yandex[.]com. As of 11/26/20, it is hosted on a dedicated server.
  • 20201128A: Possible APT34 Domain klwebsrv[.]com ThreatConnect identified a possible APT34 / OilRig / Helix Kitten domain registered through THCservers on 11/26/20 using avupdater@yandex[.]com. As of 11/28/20, it is hosted on a dedicated server.
  • 20201202A: APT35 Domain cover-home-page[.]xyz ThreatConnect Research identified a most likely APT35 / Phosphorus / Charming Kitten domain registered through OnlineNIC Inc. on 12/1/20 and hosted on a dedicated server at a Hetzner IP. Per urlscan.io, this domain currently redirects to China Central Television’s domain. The IP hosts another most likely APT35 domain with registration and hosting characteristics consistent with previously identified APT35 infrastructure.

Technical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).

To receive ThreatConnect notifications about any of the above, remember to check the “Follow Item” box on that item’s Details page.

About the Author
ThreatConnect Research Team

The ThreatConnect Research Team: is an elite group of globally-acknowledged cybersecurity experts, dedicated to tracking down existing and emerging cyber threats. We scrutinize trends, technology and socio-political motivators to develop comprehensive knowledge of the cyber landscape. Then, we share what we’ve learned so that you can protect your organization, and your team can take precise action against threats.