Iranian cybercrime group Phosphorus is leading a ransomware campaign for personal gain, Microsoft’s threat intelligence center (MSTIC) researchers disclosed yesterday.
Security experts believe a subgroup, dubbed Nemesis Kitten and tracked as DEV-0270, leads several malicious operations, including extensive vulnerability scanning, on behalf of the Iranian government.
They also suspect that, due to the nature of the attacks, most of which “lacked a strategic value for the regime,” the newly observed campaign may not be coordinated by the government and instead is run for the personal gain of the gang members.
The threat actors attempted to gain access through various known vulnerabilities, such as Exchange, Fortinet, and Log4j 2. After breaching a targeted device or network, the attackers would perform environment discovery and credential theft, achieve persistence, escalate privileges, and deploy evasive techniques to dodge detection.
“The threat group commonly uses native WMI, net, CMD, and PowerShell commands and registry configurations to maintain stealth and operational security,” according to MSTIC’s security advisory. “They also install and masquerade their custom binaries as legitimate processes to hide their presence. Some of the legitimate processes they masquerade their tools as include: dllhost.exe, task_update.exe, user.exe, and CacheTask.”
Security experts noticed that DEV-0270 attacks often enable BitLocker encryption through setup.bat commands, rendering the host device unusable. The hacker group deploys DiskCryptor, an open-source encryption tool, on compromised Windows devices through RDP. Upon launch, the tool starts to encrypt the device’s entire disk drive and locks the victim out of the workstation.
In the security advisory, MSTIC included a series of mitigation tips to deter DEV-0270-specific techniques:
Specialized software such as Bitdefender Ultimate Security can keep you safe against online threats, with features like:
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsSeptember 06, 2024
September 02, 2024
August 13, 2024