External Threat Management Labs

Untangling the Spider Web

The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit

RiskIQ’s Team Atlas assesses with high confidence that the network infrastructure supporting the exploitation of a Windows zero-day vulnerability disclosed by Microsoft on September 7, CVE-2021-40444, shares historical connections with that of a ransomware syndicate known as WIZARD SPIDER. This group, also tracked separately under the names UNC1878 and RYUK, deploys several different ransomware families in targeted Big-Game Hunting campaigns. More recently, they have come to rely on a backdoor known as BazaLoader/BazarLoader to deliver payloads, the most common of which is Cobalt Strike.

The association of a zero-day exploit with a ransomware group, however remote, is troubling. It suggests either that turnkey tools like zero-day exploits have found their way into the already robust ransomware-as-a-service (RaaS) ecosystem or that the more operationally sophisticated groups engaged in traditional, government-backed espionage are using criminally controlled infrastructure to misdirect and impede attribution.

The findings in this report suggest one of at least three possible scenarios:

  1. The threat actor behind the zero-day exploit and associated Cobalt Strike BEACON payload it delivers is part of the criminal syndicate WIZARD SPIDER or one of its affiliates. Their aim is financial gain, likely via ransomware.
  2. The threat actor in question is wholly separate and either shares or has compromised some of the same infrastructure used by WIZARD SPIDER. The true purpose of this threat actor remains unknown. The ultimate objective could be either financial crime, espionage, or both.
  3. The infrastructure leveraged in the zero-day campaign is under criminal control, but this campaign’s goal is altogether different, such as government-sponsored espionage.

Microsoft announced recommendations to mitigate this threat. Network defenders and analysts should immediately follow these recommendations, patch the vulnerability, and proactively block the command-and-control infrastructure RiskIQ enumerates in this report.

Key Findings
  • The zero-day vulnerability impacting Microsoft Word and Microsoft Explorer disclosed on September 7, 2021, and assigned CVE-2021-40444, is being leveraged in malicious documents that deliver a customized version of Cobalt Strike BEACON, more than likely as a first-stage payload.
  • The threat actors behind the campaign also made use of Cobalt Strike’s “Malleable C2 Profiles,” a feature that enables attackers to change the guise of their command-and-control infrastructure to better avoid detection and pattern matching.
  • We assess that the network infrastructure used to provide command-and-control to the BEACON implants delivered by the exploit, as well as the exploit delivery infrastructure, spans more than 200 active servers. The same group used an additional 400 unique servers over the past year. We trace the operational roots of this particular campaign to February of 2021.
  • Based on multiple overlapping patterns in network infrastructure setup and use, we assess with high confidence that the operators behind the zero-day campaign are using infrastructure affiliated with WIZARD SPIDER (CrowdStrike), and/or related groups UNC1878 (FireEye/Mandiant) and RYUK (public), who continue to use Ryuk/Conti and BazaLoader/BazarLoader malware in targeted ransomware campaigns.
Background

On September 7, 2021, our parent company, Microsoft, disclosed CVE-2021-40444. CVE-2021-40444 is a zero-day vulnerability impacting Microsoft Windows (Word and Windows Explorer, in particular). It was first reported by Rick Cole of the Microsoft Threat Intelligence Center (MSTIC), Haifei Li of EXPMON, and Dhanesh Kizhakkinan, Genwei Jiang, and Bryce Abdo - all of Mandiant. A few exploit documents have surfaced in the wild that leverage this vulnerability in MSHTML to allow remote code execution.

One of the first exploit samples publicly disclosed was 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52. This malicious Word document delivered a customized version of Cobalt Strike BEACON upon successful compromise of the target. Leveraging RiskIQ’s unique telemetry and Cobalt Strike server detection techniques, RiskIQ’s Team Atlas traced the network footprint the attackers are using in this campaign.

Pattern Matching on Cobalt Strike BEACON C2 Servers

RiskIQ’s Team Atlas immediately noticed that the group is using a unique Malleable C2 Profile for their BEACON implants. The threat actors appear to be using a domain name generation algorithm that produces domains that are between six to eight alphabetic characters in length. The domains all terminate in a .COM top-level domain (TLD). The threat actors typically encrypt their traffic using Sectigo’s PositiveSSL certificates. RiskIQ’s Team Atlas found the group had around 200 active BEACON servers based upon unique IP addresses at the time of writing.

Readers will find a table with all infrastructure matching the unique Malleable C2 Profile in our Cyberthreat Intelligence Card here. 

Historical Cobalt Strike BEACON C2 Servers

Because BEACON was likely only the first-stage malware in this campaign, RiskIQ’s Team Atlas highly recommends reviewing historical logs for any of the following domains. Although these C2 servers are no longer active, it’s entirely possible that secondary or tertiary malware was deployed following an initial breach. Organizations should investigate further on the off chance that any of these domains appear in their historical data.

Below is a table listing C2 servers used in this particular campaign that matched the unique Malleable C2 Profile but are no longer active based on our visibility. Note that the earliest instance when servers were malicious dates to the beginning of February of 2021. We cannot say with certainty that the zero-day exploit was in use at that time, but the malware it delivered traces its roots at least that far back.

Readers can find the table listing these C2 servers in our Cyberthreat Intelligence Card here.

Outliers

RiskIQ’s Team Atlas noticed that a few of the servers that utilized the same Malleable C2 Profile were a bit different. Many of them were hosted on the same providers as those C2 servers with an exact matching profile, but these outliers typically either deviated from the naming convention we identified or utilized the default BEACON SSL certificate. We’ve segregated these outliers from the C2 servers above as they may be legitimate and will require additional investigation to associate with the actor behind the exploit.

Readers can see both active and historical outliers in our Cyberthreat Intelligence Card here.

Newly Identified Domains Direct from the BEACON Implants

RiskIQ’s Team Atlas maintains a collection of Cobalt Strike configurations. In searching our telemetry for IP addresses directly implicated in this campaign, we identified an additional 39 unique domains that were hardcoded into these configurations after decoding. The table below shows these domains, which we assess with high confidence, are also under the control of the same threat actor.

Readers can see these domains in our Cyberthreat Intelligence Card here.

Vanilla Cobalt Strike C2 Servers Associated with the Group

In the course of our investigation, it became evident that the network infrastructure supporting Cobalt Strike extended far beyond this particular zero-day campaign. Using a similar methodology, RiskIQ’s Team Atlas uncovered several domains that fit the group’s operational profile and even shared the same hosting providers, only at much earlier dates. These C2 servers did not leverage the aforementioned Malleable C2 Profile. However, they fit the bill in nearly every other way. RiskIQ’s Team Atlas identified the following vanilla Cobalt Strike C2 servers that we assess with high confidence belong to the same group.

Readers can see these C2 servers in our Cyberthreat Intelligence Card here.

Supporting Infrastructure for the Zero-Day Campaign

RiskIQ’s Team Atlas looked for other discernible patterns in other bits and pieces of the OSINT that have trickled out associated with the zero-day. Without exposing our exact methodology, we devised a network signature we call HD-1. Searching our telemetry for HD-1, we assess with high confidence that the following domains and IP addresses are under the same group’s control.

Readers can explore both publicly available indicators and additional infrastructure surfaced by RiskIQ in our Cyberthreat Intelligence Card here.

Connections to Ransomware Operators

RiskIQ’s Team Atlas assesses with high confidence that the operators behind the deployment of the zero-day exploit and Cobalt Strike BEACON implants are using infrastructure that shares historical connections to a large, loosely-related criminal enterprise given the names WIZARD SPIDER (CrowdStrike), UNC1878 (FireEye), and RYUK (Public). These groups are known to use the Conti and Ryuk malware families in targeted, so-called Big-Game Hunting ransomware campaigns aimed at large enterprises.

The operational C2 infrastructure employed in the zero-day campaign shares several instances of IP-based overlap with non-public IP addresses and domains previously associated with C2 servers used in targeted deployments of Ryuk and Conti, including:

In addition, both medicalenv.com and cyber-updates.com were registered using the email address senmontechristo@protonmail.com. This email address was also used to register several domains used in the deployment of Cobalt Strike. apperlone.com was one of these and had a particular subdomain doc.apperlon.com which ran Cobalt Strike BEACON under a different Malleable C2 profile. This profile was also unique and directly matched a group we associate with targeted Ryuk ransomware deployments. Upon looking into some of the other domains linked to the email address, RiskIQ’s Team Atlas can conclusively say with high confidence that this email address is directly linked to UNC1878.

Other identified samples that communicated with the domains in the tables above included Emotet and BazaLoader/BazarLoader.

Despite the historical connections, we cannot say with confidence that the threat actor behind the zero-day campaign is part of WIZARD SPIDER or its affiliates, or is even a criminal actor at all, though it is possible. If the threat actors were part of these groups, it means they almost surely purchased the zero-day exploit from a third party because they have not previously shown the ability to develop exploit chains of this complexity.

Based on the limited number of publicly available exploit documents, we assume there has been limited deployment of this zero-day. If this assumption is true, we assess that ransomware is unlikely to be the intended purpose of the campaign. Limiting distribution of a zero-day conflicts with the goal of making the most money as quickly as possible, which has been the modus operandi of WIZARD SPIDER. If the zero-day was deployed solely in pursuit of Big-Game Hunting, we would not expect the operators to limit the total number of potential targets.

Instead, we assess with medium confidence that the goal of the operators behind the zero-day may, in fact be traditional espionage. This goal could easily be obscured by a ransomware deployment and blend into the current wave of targeted ransomware attacks. 

In this case, the overlap with known ransomware infrastructure, in this case, could mean one of several things. First, that the zero-day operators compromised the infrastructure of the ransomware operators. Second, that the criminal operators are allowing the zero-day operators to piggyback on their existing infrastructure. Third, that the zero-day and ransomware operators are one and the same but engaging in espionage instead of financial crime. Finally, it could mean that both entities could be utilizing the same third party providing Bulletproof Hosting services. There is strong ancillary evidence that suggests this is the case.

Recommendations

RiskIQ’s Team Altas recommends that network defenders immediately implement the following remediation steps:

1. Deploy the patch for this vulnerability.

2. Detect and block the domains and IP addresses identified as malicious in this report.

RiskIQ’s Team Atlas will continue to update the community as we identify additional related infrastructure. You can explore the IOCs referenced in this article by joining the RiskIQ Community.

We also encourage analysts at security companies and those targeted by this threat actor to contact us at atlas@riskiq.net. RiskIQ’s Team Atlas will continue to provide free and regular updates to the indicators associated with this report.

We coordinated with our colleagues at the Microsoft Threat Intelligence Center (MSTIC) on this research. You can see their related blog post for further analysis and more information on this zero-day, including remediation and patching.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor