Blog

RiskIQ’s Team Atlas assesses with high confidence that the network infrastructure supporting the exploitation of a Windows zero-day vulnerability disclosed by Microsoft on September 7, CVE-2021-40444, shares historical connections with that of a ransomware syndicate known as WIZARD SPIDER. This group, also tracked separately under the names UNC1878 and RYUK, deploys several different ransomware families in targeted Big-Game Hunting campaigns. More recently, they have come to rely on a backdoor known as BazaLoader/BazarLoader to deliver payloads, the most common of which is Cobalt Strike.

In our analysis of threat infrastructure spanning the global attack surface, we see bulletproof hosting providers continue to play an integral role in threat campaigns and provide essential services for cybercriminals. Flowspec, a bulletproof hosting provider that has been around since October 2018, is a one-stop-shop for threat groups, facilitating phishing campaigns, malware delivery, Magecart skimmers, and large swaths of other malicious infrastructure. 

The service's IP space enables phishing campaigns that have targeted various banks and domain names spoofing the Steam Community, Counter-Strike: Global Offensive, and Amazon. Flowspec also facilitates the theft of payment data by hosting several Magecart domains. Researchers have associated many different malware files with Flowspec IP space, including banking trojans, ransomware, various backdoors, and more.

As RiskIQ tracks malware families to identify infrastructure patterns and common threads between threat campaigns via our Internet Intelligence Graph, we often surface strong links between seemingly disparate threat campaigns. In the case of EITest and GootLoader, these campaigns may have turned out to be one and the same.

Researchers around the industry have tracked EITest and its evolution for the better part of a decade. Thus far, no one has connected it to the much newer GootLoader malware delivery campaign. However, infrastructure connections in RiskIQ data belonging to GootLoader directly correlate with past EITest activity and the current malware delivery campaign.

In 2021, landmark cyberattacks told us just how exposed we were. Mere months removed from the SolarWinds breach, a watershed attack some thought would set the standard for the impact a vulnerability could have, we dealt with the Microsoft Exchange vulnerability. The Exchange incident was exploited by potentially dozens of APTs and signified yet another critical global-scale incident some thought we'd only see once in a decade. It affected more than 300,000 servers and hundreds of thousands of organizations worldwide, and many organizations are still exposed. 

The biggest problem? Today's organizations have far too much to patch. 

RiskIQ's Illuminate Vulnerability Intelligence was purpose-built to change that. This native feature within the Illuminate Platform allows every organization to see their attack surface for what it really is, providing security teams a consistent way to prioritize, analyze, and triage vulnerabilities based on the likelihood of a successful attack. This real-time insight shrinks workloads and reduces time-to-remediation. 

Magecart Group 8 has been targeting online retailers since 2016. This distinct skimming group first came to light when RiskIQ, led by researcher Yonathan Klijnsma, analyzed its skimmer in 2017 and exposed attacks on Nutribullet in February 2020 and MyPillow and Amerisleep in 2019. 

The group hasn't fixed what isn't broken and today still uses the same skimmer and many of the same tactics and techniques to steal payment data. When selecting its targets, the group seems to continue to favor the home improvement industry, specifically hardware, real estate services, and interior design and decor. 

Supported by our Internet Intelligence Graph, our researchers identify patterns to uncover new threat infrastructure and attacks across the global threat landscape. For Magecart Group 8, its choice of hosting providers shined new light on its skimming activities. RiskIQ researchers identified a pattern in the group's use of hosting providers Flowspec, JSC TheFirst, and OVH and its propensity to transition potentially inactive infrastructure from Bulletproof hosting providers to legitimate ones such as Velia.net.

It's a busy time to be in cybersecurity. Threat actors are more sophisticated, exploit even the most minor vulnerabilities, and don't care who they hurt when they do it. And when organizations can fend them off, they don't go away — they simply regroup, change their strategy and find a new way in. Organizational attack surfaces are also expanding, giving attackers bigger targets to hit. It's a sneaky battle and one that organizations have to fight.

But too often, organizations can't keep up. They find themselves trying to keep pace with the newest threats, resorting to reacting after a breach happens rather than learning how to be proactive and get in front of their digital attack surface. Wouldn't it be much easier if you knew where the battle lines were drawn and could anticipate the enemy's next move instead of hiding inside, hoping the walls don't have a weak spot?

RiskIQ's Team Atlas has uncovered still more infrastructure actively serving WellMess/WellMail. The timing here is notable. Only one month ago, the American and Russian heads of state held a summit wherein Russia's aggressive cyber campaigns topped the list of President Biden's strategic concerns. Given this context, RiskIQ’s Team Atlas paid particular attention to APT around and after this summit, which took place on June 16. 

This report will be of particular interest to those tracking APT29 and targets and victims of WellMess/WellMail, who may benefit from the tactical intelligence provided below.

RiskIQ's research team leverages our Internet Intelligence Graph to analyze known campaigns of widely used malware families to fingerprint trends in malicious infrastructure. We recently continued our analysis of Agent Tesla, leading us to identify the XAMPP web server solutions stack being used to serve Agent Tesla and Formbook malware. 

This latest analysis shines new light on the Agent Tesla ecosystem, the TTPs its operatives are using, and how RiskIQ users can now leverage the XAMPP web component to identify hosts that distribute malware and research other potentially malicious infrastructure. 

In our article "Bulletproof Hosting Services: Investigating Media Land LLC," we examined Media Land LLC, the organization ran by cyberthreat mogul Alexander Volosovik. We delved into its hosting infrastructure and activities, including domain registration services that facilitate and enable various malicious campaigns. 

We've done further infrastructure analysis to connected our previous research on Media land activities, including our articles on the Grelos Skimmer, the Inter Skimmer, and Bulletproof hosting, to Volosovik's domain registration and fast-flux services. Fast flux is a DNS technique used to mask botnets by quickly shifting among a network of compromised hosts, which act as proxies to enable criminals to evade detection.

Here, we'll analyze Volosovik's fast-flux offering patterns as seen in RiskIQ data, using several indicators to identify additional aliases, accounts, and domains connected to Volosovik. As we surface these digital relationships, we'll be able to connect previous research from RiskIQ and other security companies to Volosovik's services, showing their prevalence across the global threat landscape.