ThreatConnect Research Roundup: Wizard Spider / UNC1878 / Ryuk Campaign

Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).

In this Roundup, we highlight the Late 2020 Wizard Spider / UNC1878 / Ryuk Campaign.

In late September 2020, the criminal threat group known as Wizard Spider / UNC1878 / Ryuk resumed operations using Trickbot, Cobalt Strike, BazarLoader / Kegtap, and Ryuk ransomware. News reports indicate that some of the operations in this campaign have targeted US hospital networks and an Italian IT services company.

Several consistencies have been identified in sets of infrastructure registered as part of this campaign. Those non-definitive consistencies include the following:

• Use of SSL certificates with subject strings “C=US, ST=TX, L=Texas, O=lol, OU=,” or “C=US, ST=TX, L=Texas, O=office, OU=,”.
• Domain Registration through MonoVM, NameCheap, and Openprovider.
• In some cases, registration of approximately ten domains at a time through one of the above resellers.
• Reuse of strings within domain name, including “service,” “backup,” “helper,” “idrive,” and “boost” among others.
• Repeated use of the same ISPs, and in some cases the same /24 CIDR block, for hosting. ISPs have included Frantech Solutions, Psychz Networks, Private Layer Inc, combahton GmbH, TeraSwitch Networks Inc., LeaseWeb USA Inc., and BACloud.

Sets of identified infrastructure have been captured in incidents associated with this campaign, and the most recent updates are listed below.

• 20201028A: Ryuk Infrastructure Registered on 10/25/20 ThreatConnect Research identified several most likely Ryuk domains registered on October 25 2020 based on consistencies with infrastructure identified in Incident 20200930A: Domains Registered Through MonoVM Used with Cobalt Strike and other recent incidents.
• 20201029A: Ryuk Infrastructure Registered on 10/27/20 ThreatConnect Research identified a domain most likely associated with Wizard Spider / UNC1878 / Ryuk. This domain was registered through NameCheap on October 27 2020 and uses an SSL certificate with similar strings compared to previously identified Ryuk infrastructure. Update 10/30/20 Several other most likely Ryuk domains were also registered at essentially the same time through NameCheap on October 27.
•  20201029B: Possible Ryuk Infrastructure Registered on 10/26/20 ThreatConnect Research identified two domains registered essentially at the same time on October 26 2020 that are possibly related with Wizard Spider / UNC1878 / Ryuk based on non-definitive domain string and registration similarities. These domains were registered through Openprovider and are hosted at an ISP (Frantech) recently used by other Ryuk domains. At this time we have no other information on the extent to which, if any, this infrastructure has been used maliciously. Update 10/29/20 Another possible Ryuk domain was also registered at essentially the same time as the aforementioned domains.
• 20201029C: Ryuk Infrastructure Registered on 10/23/20 ThreatConnect Research identified domains which most likely are associated with Wizard Spider / UNC1878 / Ryuk. These domains were registered through Openprovider on October 23 2020 and use a SSL certificates with similar strings compared to previously identified Ryuk infrastructure. We also identified three other domains that were registered at a different time on October 23 through Openprovider that possibly are related to the same group.

All IOCs associated to this campaign have been included in this CSV.

ThreatConnect Research Team Intelligence: Items recently created or updated in the ThreatConnect Common Community by our Research Team.

• 20201030A: Suspicious Domains Hosted at 45.79.219[.]211 ThreatConnect Research identified a suspicious domain which was registered through Njalla on October 28 2020. The domain is currently hosted at a Linode IP. Several other domains also currently resolve to the IP, notably two spoofing Internet Explorer updates.

Technical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).

• Daily Emotet IoCs and Notes for 10/29/20 (Source: https://paste.cryptolaemus.com/emotet/2020/10/29/emotet-malware-IoCs_10-29-20.html)
• Emotet C2 Deltas from 2020/10/28 as of 11:40EDT or 15:40UTC (Source: https://paste.cryptolaemus.com/emotet/2020/10/28/emotet-C2-Deltas-1540-1140_10-28-20.html)
• Daily Emotet IoCs and Notes for 10/28/20 (Source: https://paste.cryptolaemus.com/emotet/2020/10/28/emotet-malware-IoCs_10-28-20.html)
• Emotet C2 Deltas from 2020/10/27 as of 11:45EDT or 15:45UTC (Source: https://paste.cryptolaemus.com/emotet/2020/10/27/emotet-C2-Deltas-1545-1145_10-27-20.html)
• Daily Emotet IoCs and Notes for 10/27/20 (Source: https://paste.cryptolaemus.com/emotet/2020/10/27/emotet-malware-IoCs_10-27-20.html)
• Emotet C2 Deltas from 2020/10/26 as of 13:30EDT or 17:30UTC (Source: https://paste.cryptolaemus.com/emotet/2020/10/26/emotet-C2-Deltas-1730-1330_10-26-20.html)
• Daily Emotet IoCs and Notes for 10/26/20 (Source: https://paste.cryptolaemus.com/emotet/2020/10/26/emotet-malware-IoCs_10-26-20.html)
• Weekend Emotet IoCs and Notes for 10/23-25/20 (Source: https://paste.cryptolaemus.com/emotet/2020/10/25/25-emotet-malware-IoCs_10-25-20.html)
• Threat Roundup for October 16 to October 23 (Source: https://blog.talosintelligence.com/2020/10/threat-roundup-1016-1023.html)