It detects and impairs antivirus solutions and checks for debugging environment, achieves persistence through startup folder, and runs the payload using process hollowing technique. SYK crypter is being loaded into memory where it decrypts its configuration and the next stage payload using hardcoded keys and various encryption methods. If a targeted user activates the phishing attachment, it starts the DNetLoader malware that reaches out to the hardcoded Discord CDN link and downloads a next stage crypter such as newly-discovered SYK crypter. Morphisec researchers discovered a new campaign abusing popular messaging platform Discord content distribution network (CDN). SYK Crypter Distributing Malware Families Via Discord Tags: Cobalt Mirage, Phosphorous, Cobalt Illusion, TunnelVision, Impacket, wmiexec, Softperfect network scanner, LSASS, RDP, Powershell, BitLocker, Ransomware, Fast Reverse Proxy client, FRP, FRPC, Iran, source-country:IR, USA, target-country:US, Cyberespionage, Government, APT, Go, Log4j2, ProxyShell, CVE-2021-34473, CVE-2021-45046, CVE-2021-44228, CVE-2020-12812, CVE-2021-31207, CVE-2018-13379, CVE-2021-34523, CVE-2019-5591 MITRE ATT&CK: Exploit Public-Facing Application - T1190 | OS Credential Dumping - T1003 | Command and Scripting Interpreter - T1059 | Modify Registry - T1112 | Create Account - T1136 | Account Manipulation - T1098 | Proxy - T1090 | Data Encrypted for Impact - T1486 Keep your system updated, and employ mitigation strategies when updates for critical vulnerabilities are not available. It also relied on mass scanning for known vulnerabilities (ProxyShell, Log4Shell) and using commodity tools for encryption, internal scanning, and lateral movement.Īnalyst Comment: However small your government or NGO organization is, it still needs protection from advanced cyber actors. The group utilized its own custom binaries including a Fast Reverse Proxy client (FRPC) written in Go. Their ransomware operations appear to be a low-scale, hands-on approach with rare tactics such as sending a ransom note to a local printer. In 2022, Cobalt Mirage deployed BitLocker ransomware on a US charity systems, and exfiltrated data from a US local government network.
These actors are likely part of a larger group, Charming Kitten (Phosphorus, APT35, Cobalt Illusion).
Secureworks researchers describe campaigns by Iran-sponsored group Cobalt Mirage. COBALT MIRAGE Conducts Ransomware Operations in U.S.
0 kommentar(er)
