Three separate threat actors have been identified using a previously unreported first access broker to mount intrusions ranging from financially driven ransomware operations to phishing activities.
The entity was called “Zebra2104” by BlackBerry’s research and intelligence team. The organization is in charge of providing a digital approach to ransomware syndicates, like MountLocker and Phobos, and the Advanced Persistent Threat (APT) known as StrongPity (aka Promethium).
A group of individuals known as Initial Access Brokers (IABs) has become increasingly dominant in the threat landscape. They offer other cyber-criminal gangs, especially ransomware affiliates, a foothold into a limitless pool of prospective enterprises from various regions and industries via permanent backdoors into the victim networks, thereby constructing a remote access pricing model.
The inquiry started with discovering a website called “trashborting[.]com” that was transmitting Cobalt Strike Beacons. It’s used to connect the larger infrastructure to various ransomware-delivery campaigns, some of which targeted Australian real estate businesses and state government offices in September 2020.
Furthermore, a sibling domain named “supercombinating[.]com,” which was registered alongside trashborting[.]com, was revealed to be linked to malicious MountLocker and Phobos activities, even though the domain’s IP address was 91.92.109[.]174. Between April – November 2020, it was also used to host the third domain, “mentiononecommon[.]com,” and as a command-and-control server in a StrongPity-related campaign in June 2020.
The researchers believe that the operator either has a lot of personnel or they’ve put up some enormous ‘hidden in plain sight’ traps throughout the internet, allowing MountLocker, Phobos, and StrongPity to get access to targeted networks, based on the IAB’s overlaps and wide targeting.
According to the researchers, the interconnected web of harmful infrastructure uncovered throughout this study has revealed that, in some circumstances, cybercrime groups are operated similarly to multinational corporations in a manner that replicates the legitimate business sector.
They form alliances and partnerships to assist them in achieving their objectives. It is fair to predict that the dangerous group is known as “commercial partnerships” will grow even more prominent in the future.