October 06, 2021
Knowing the infrastructure and its connections helps security teams map, monitor, and track adversary-threat infrastructure and its composition—malware, suspicious activity, threat capabilities, shareable attack tools, and their relationships within the worldwide attack surface.
As part of our ongoing research into malware distribution infrastructure, we investigated "Mana Tools," a malware distribution and command and control (C2) panel associated with several big names in the malware world, including RevengeRat, AzoRult, Lokibot, Formbook, and Agent Tesla.
Mana Tools was first reported in 2019 by Yoroi researchers who identified it as a fork of the AzoRult 3.2 malware created by a Pakistani actor known as Hagga. The Mana Tools logo appears on current samples of the Mana Tools panel. Using RiskIQ's dataset, we were able to find several Mana Tools login pages.
September 22, 2021
RiskIQ has tracked Magecart since skimmers first surfaced in 2016 and burst into the headlines in the landmark attack against British Airways. In the time since, our researchers have cataloged hundreds of iterations of Magecart skimmers as different threat groups build, appropriate, tweak, and develop them to suit their unique purposes.
Despite their ongoing changes, these skimmers often maintain enough of the same characteristics and infrastructure for keen eyes to link them to past attacks and the responsible groups. In the case of the newly identified "bom" skimmer, which has been deployed on dozens of counterfeit online stores, distinct features and TTPs linked us directly to its predecessor skimmers, including the widespread MakeFrame version. It also pointed us to its operators, Magecart Group 7.
September 15, 2021
RiskIQ’s Team Atlas assesses with high confidence that the network infrastructure supporting the exploitation of a Windows zero-day vulnerability disclosed by Microsoft on September 7, CVE-2021-40444, shares historical connections with that of a ransomware syndicate known as WIZARD SPIDER. This group, also tracked separately under the names UNC1878 and RYUK, deploys several different ransomware families in targeted Big-Game Hunting campaigns. More recently, they have come to rely on a backdoor known as BazaLoader/BazarLoader to deliver payloads, the most common of which is Cobalt Strike.
September 08, 2021
In our analysis of threat infrastructure spanning the global attack surface, we see bulletproof hosting providers continue to play an integral role in threat campaigns and provide essential services for cybercriminals. Flowspec, a bulletproof hosting provider that has been around since October 2018, is a one-stop-shop for threat groups, facilitating phishing campaigns, malware delivery, Magecart skimmers, and large swaths of other malicious infrastructure.
The service's IP space enables phishing campaigns that have targeted various banks and domain names spoofing the Steam Community, Counter-Strike: Global Offensive, and Amazon. Flowspec also facilitates the theft of payment data by hosting several Magecart domains. Researchers have associated many different malware files with Flowspec IP space, including banking trojans, ransomware, various backdoors, and more.
August 25, 2021
As RiskIQ tracks malware families to identify infrastructure patterns and common threads between threat campaigns via our Internet Intelligence Graph, we often surface strong links between seemingly disparate threat campaigns. In the case of EITest and GootLoader, these campaigns may have turned out to be one and the same.
Researchers around the industry have tracked EITest and its evolution for the better part of a decade. Thus far, no one has connected it to the much newer GootLoader malware delivery campaign. However, infrastructure connections in RiskIQ data belonging to GootLoader directly correlate with past EITest activity and the current malware delivery campaign.
August 11, 2021
Magecart Group 8 has been targeting online retailers since 2016. This distinct skimming group first came to light when RiskIQ, led by researcher Yonathan Klijnsma, analyzed its skimmer in 2017 and exposed attacks on Nutribullet in February 2020 and MyPillow and Amerisleep in 2019.
The group hasn't fixed what isn't broken and today still uses the same skimmer and many of the same tactics and techniques to steal payment data. When selecting its targets, the group seems to continue to favor the home improvement industry, specifically hardware, real estate services, and interior design and decor.
Supported by our Internet Intelligence Graph, our researchers identify patterns to uncover new threat infrastructure and attacks across the global threat landscape. For Magecart Group 8, its choice of hosting providers shined new light on its skimming activities. RiskIQ researchers identified a pattern in the group's use of hosting providers Flowspec, JSC TheFirst, and OVH and its propensity to transition potentially inactive infrastructure from Bulletproof hosting providers to legitimate ones such as Velia.net.
July 30, 2021
RiskIQ's Team Atlas has uncovered still more infrastructure actively serving WellMess/WellMail. The timing here is notable. Only one month ago, the American and Russian heads of state held a summit wherein Russia's aggressive cyber campaigns topped the list of President Biden's strategic concerns. Given this context, RiskIQ’s Team Atlas paid particular attention to APT around and after this summit, which took place on June 16.
This report will be of particular interest to those tracking APT29 and targets and victims of WellMess/WellMail, who may benefit from the tactical intelligence provided below.
July 28, 2021
RiskIQ's research team leverages our Internet Intelligence Graph to analyze known campaigns of widely used malware families to fingerprint trends in malicious infrastructure. We recently continued our analysis of Agent Tesla, leading us to identify the XAMPP web server solutions stack being used to serve Agent Tesla and Formbook malware.
This latest analysis shines new light on the Agent Tesla ecosystem, the TTPs its operatives are using, and how RiskIQ users can now leverage the XAMPP web component to identify hosts that distribute malware and research other potentially malicious infrastructure.
July 14, 2021
In our article "Bulletproof Hosting Services: Investigating Media Land LLC," we examined Media Land LLC, the organization ran by cyberthreat mogul Alexander Volosovik. We delved into its hosting infrastructure and activities, including domain registration services that facilitate and enable various malicious campaigns.
We've done further infrastructure analysis to connected our previous research on Media land activities, including our articles on the Grelos Skimmer, the Inter Skimmer, and Bulletproof hosting, to Volosovik's domain registration and fast-flux services. Fast flux is a DNS technique used to mask botnets by quickly shifting among a network of compromised hosts, which act as proxies to enable criminals to evade detection.
Here, we'll analyze Volosovik's fast-flux offering patterns as seen in RiskIQ data, using several indicators to identify additional aliases, accounts, and domains connected to Volosovik. As we surface these digital relationships, we'll be able to connect previous research from RiskIQ and other security companies to Volosovik's services, showing their prevalence across the global threat landscape.