Iranian threat actors were observed targeting a hybrid environment using ransomware as a decoy for destructive attacks.
- Iranian threat actors were observed targeting a hybrid environment.
- Threat actors Mercury and DEV-1084 were involved in the attacks.
- The threat actors used ransomware as a decoy for destructive attacks.
Microsoft recently reported on activity perpetrated by Iranian threat actors and targeting a hybrid environment. Threat actors involved in this campaign include Mercury and DEV-1084.
Mercury was involved in the initial attacks, which were used to gain access to the victim’s environments. Mercury likely obtained access to the victim’s environment via remote exploitation of an unpatched internet-facing device. Microsoft noted the threat actors apparently made several successful attempts at the intrusion, using multiple vulnerabilities, including Log4j 2.
DEV-1084 engaged in follow-on activity, including reconnaissance, discovery, establishing persistence, and lateral movement, with an objective of disruptive and destructive behavior. To maintain persistence, the threat actors used webshells, added a local user account with elevated privileges, installed multiple remote access tools, installed a customized PowerShell backdoor, and stole credentials. Lateral movement consisted of creating remote scheduled tasks to launch the PowerShell backdoor, using WMI to launch commands, and using remote services to run PowerShell commands. The threat actors’ movements appear to be calculated, with DEV-1084 waiting weeks or months between attack stages.
To gain access to the victim’s cloud environment, the threat actors compromised privileged accounts and used them to manipulate the Azure AD Connect agent. They obtained plaintext credentials of a privileged Azure AD account and used the credentials to pivot from the on-premises environment to the cloud environment.
The threat actors attempted to disguise the end game as a ransomware attack. The destructive activity targeted the victim’s server farms, virtual machines, storage accounts, and virtual networks. The ransom payload was staged in NETLOGON shares and on domain controllers. The threat actors used GPO to register a scheduled task to launch the payload. The ransomware payload encrypted files on the target devices appended the DARKBIT extension to the encrypted files and dropped a ransom note. The threat actors also used a compromised administrator account to send emails that were made to appear as if they were sent on behalf of a high-ranking employee. Emails were sent to both internal and external persons.
Microsoft noted the overlap between DEV-1084 and Mercury TTPs, including the use of the same IP address, the use of Mullvad VPN, the use of Rport and Ligolo tools, and the use of the same actor-controlled C2 domain.
Who is Mercury?
Mercury is Microsoft’s designation for the group known as Muddy Water, Static Kitten, Seedworm, and Cobalt Ulster. Mercury is an Iran nexus threat actor group active since at least 2017. Mercury has historically targeted entities in the Middle East but has been known to target other regions as well. Mercury primarily conducts espionage campaigns but has also been known to engage in intellectual property theft and ransomware attacks. US Cyber Command has linked the group’s activities to Iran’s Ministry of Intelligence and Security (MOIS). Cisco previously assessed the group as a conglomerate of multiple teams operating independently. Mercury TTPs include social engineering, spearphishing, maldocs, LoLBins, Small Sieve, PowGoop, Mori backdoor, Covicli backdoor, Canopy/SloughRAT, Empire, Powerstats/Powermud backdoor, and others.
Who is DEV-1084?
DEV-1084, who referred to themselves as DarkBit in this campaign, present themselves as a criminal actor involved in extortion. This is likely a ruse to mask sanctioned behavior by a sophisticated entity with ties to Iran’s government or military. It is possible they are a subset of Mercury.
PolySwarm has multiple samples associated with this activity.
You can use the following CLI command to search for all xx samples in our portal:
$ polyswarm link list -f DEV-1084
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at firstname.lastname@example.org | Check out our blog | Subscribe to our reports