Iranian Cybercrime Group Uses Ransomware to Capitalize in the Financial Market
An Iranian cybercrime group has been discovered launching cyberattacks on entities in the U.S, Europe and Australia.
According to Secureworks, COBALT MIRAGE has been linked to an Iranian group dubbed Cobalt Illusion. The Iranian threat group persistently use phishing campaigns to obtain initial access.
The Iranian APT is Divided
The security firm stated in a report that the ransomware group has divided themselves into two different clusters. Threat actors belonging to the first cluster conduct financially motivated ransomware operations using encryption tools like Bitlocker and Discryptor.
The second cluster tries to gather intelligence and gain access to the targets for intrusions. The threat actors obtain initial access by scanning and exploitation. Fortinet and Microsoft exchange servers were found vulnerable to their methods
In January, a U.S. philanthrophic organization suffered a cyberattack from Cobalt Mirage through a Proxyshell exploitation. The Secureworks Counter Threat Unit (CTU) research team investigated the Iranian APT group and discovered that the proxyshells were being used to deploy web shells.
Also in March, CTU attributed the operation to Cobalt Mirage’s Cluster B. They were involved in the intrusion of the U.S. local government’s network. While it was confirm that this faction did not use ransomware in its latest attack, they conducted activities like the use of a DefaultUser account.
Secureworks stated that crypto mining malware is likely to be part of Cobalt Mirage’s activity. In their report, they said that analysis of Cobalt Mirage attacks is challenging because unrelated threat actors have often also compromised the environment using the same vulnerabilities.
Many of these threat actors use the same publicly available proof-of-concept code and may access the same environment multiple times, dropping redundant web shells. Cryptominer infections are often observed alongside Cobalt Mirage activity, but they may have been deployed by another group.
CTU researchers have not observed any Cluster B operations since the intrusion in March was disrupted, but there is evidence that the threat actors may be experimenting with ransomware.