Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).
Note: Viewing the pages linked in this blog post requires a ThreatConnect account. If you don’t have one, please click here to request your free TC Open account.
Roundup Highlight: Probably Ryuk Infrastructure Registered in November 2020
In this Roundup, we highlight Incident 20201201A: Probable Ryuk Infrastructure Registered in November 2020 Through OpenProvider.
ThreatConnect Research identified several probable and possible Ryuk / Wizard Spider / UNC1878 domains registered in November 2020 through OpenProvider that are/were hosted on dedicated servers and, per Censys, used an SSL certificate with subject string “C=, ST=, L=, O=, OU=, CN=”. Those characteristics are consistent with, but not exclusively unique to, previously identified Ryuk infrastructure such as hotlable[.]com, myobtain[.]com, primeviref[.]com, and hunbabe[.]com. The identified domains, current / previous hosting IPs, and related files are listed below.
For the following infrastructure (or other domains registered at the same time) we could identify related Cobalt Strike files and two letter subdomains, therefore we assess that this infrastructure probably is related to Ryuk:
For the following domains, we did not identify any related files and assess that they possibly are related to Ryuk:
Of note, some of the identified infrastructure has been suspended.
ThreatConnect Research Team Intelligence: Items recently created or updated in the ThreatConnect Common Community by our Research Team.
- 20201201A: Probable Ryuk Infrastructure Registered in November 2020 Through OpenProvider ThreatConnect Research identified several probable and possible Ryuk / Wizard Spider / UNC1878 domains registered in November 2020 through OpenProvider that are/were hosted on dedicated servers and, per Censys, used an SSL certificate with subject string “C=, ST=, L=, O=, OU=, CN=”. Those characteristics are consistent with, but not exclusively unique to, previously identified Ryuk infrastructure.
- 20201122A: Ryuk Infrastructure Registered on 11/19/20 ThreatConnect Research identified a set of at least seven domain registered through NameCheap on 11/19/20 at essentially the same time and hosted on probable dedicated servers in LiteServer Holding B.V. IP space. Of note, a possible Ryuk / Wizard Spider / UNC1878 domain was previously registered and hosted similarly.
- 20201126A: Ryuk Infrastructure Registered on 11/14/20 ThreatConnect Research identified a set of at least three most likely Ryuk / Wizard Spider / UNC1878 domains registered at essentially the same time on 11/14/20 through NameCheap and hosted on dedicated servers at Frantech or Leaseweb. Per Censys, an SSL certificate created on 11/24/20 for one of the identified domains uses the same subject string “C=US, ST=TX, L=Texas, O=lol, OU=,” identified in other previous Ryuk registrations.
- 20201201B: File Matching YARA Rule Associated to RedDelta PlugX ThreatConnect Research identified a RedDelta PlugX binary and extracted Command and Control locations from the embedded configuration.
- 20201126B: Possible APT34 Domain careers-ntiva[.]com ThreatConnect identified a possible APT34 / OilRig / Helix Kitten domain registered through THCservers on 11/25/20 using ivacareer@yandex[.]com. As of 11/26/20, it is hosted on a dedicated server.
- 20201128A: Possible APT34 Domain klwebsrv[.]com ThreatConnect identified a possible APT34 / OilRig / Helix Kitten domain registered through THCservers on 11/26/20 using avupdater@yandex[.]com. As of 11/28/20, it is hosted on a dedicated server.
- 20201202A: APT35 Domain cover-home-page[.]xyz ThreatConnect Research identified a most likely APT35 / Phosphorus / Charming Kitten domain registered through OnlineNIC Inc. on 12/1/20 and hosted on a dedicated server at a Hetzner IP. Per urlscan.io, this domain currently redirects to China Central Television’s domain. The IP hosts another most likely APT35 domain with registration and hosting characteristics consistent with previously identified APT35 infrastructure.
Technical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).
- Emotet C2 Deltas from 2020/11/18 as of 11:00EST or 16:00UTC (Source: https://paste.cryptolaemus.com/emotet/2020/11/18/emotet-C2-Deltas-1100-1600_11-18-20.html)
- Emotet C2 Deltas from 2020/11/20 as of 12:00EST or 17:00UTC (Source: https://paste.cryptolaemus.com/emotet/2020/11/20/emotet-C2-Deltas-1200-1700_11-20-20.html)
- Threat Roundup for November 13 to November 20 (Source: http://feedproxy.google.com/~r/feedburner/Talos/~3/bAxCtkzamIU/threat-roundup-1113-1120.html)
- Emotet C2 Deltas from 2020/11/24 as of 14:00EST or 19:00UTC (Source: https://paste.cryptolaemus.com/emotet/2020/11/24/emotet-C2-Deltas-1400-1900_11-24-20.html)
- Emotet C2 Deltas from 2020/11/26 as of 14:00EST or 19:00UTC (Source: https://paste.cryptolaemus.com/emotet/2020/11/26/emotet-C2-Deltas-1400-1900_11-26-20.html)
- At the User’s Expense: Threat Actors Weaponize Companies’ Employee Reimbursements During the Pand… (Source: https://cofense.com/at-the-users-expense-threat-actors-weaponize-companies-employee-reimbursements-during-the-pandemic/)
- Xanthe – Docker aware miner (Source: https://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html)
- Exposing Emotet’s Modern Infrastructure – A Case Study on Tracking Down and Shutting Down Abusive… (Source: https://ddanchev.blogspot.com/2020/12/exposing-emotets-modern-infrastructure.html)
To receive ThreatConnect notifications about any of the above, remember to check the “Follow Item” box on that item’s Details page.