# Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware **blogs.blackberry.com/en/2021/11/zebra2104** The BlackBerry Research & Intelligence Team ### Executive Summary The BlackBerry Research & Intelligence Team has uncovered an unusual connection between the actions of three distinct threat groups, including those behind financially-motivated ransomware such as [MountLocker and](https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates) [Phobos, as well as the espionage-related advanced persistent threat](https://blogs.blackberry.com/en/2021/09/threat-thursday-phobos-ransomware) (APT) group known as StrongPity. While it might seem implausible for criminal groups to be sharing resources, we found these groups had a connection that is enabled by a fourth; a threat actor we have dubbed Zebra2104, which we believe to be an Initial Access Broker (IAB). In this post, we will discuss what led us to these findings, what an IAB is, and how each piece fits into the puzzle. Once we look at each piece in context, we can better assess the full ramifications of these discoveries, and project what is yet to come. ### Introduction When conducting research for our book, “Finding Beacons in the Dark: A Guide to Cyber Threat _Intelligence,” we stumbled upon a domain that piqued our interest due to its similarity to a naming_ convention that we’d seen in a previous threat hunt. ----- This single domain led us down a path where we would uncover multiple ransomware attacks, and an APT command-and-control (C2). The path also revealed what we believe to be the infrastructure of an IAB: Zebra2104. IABs typically first gain entry into a victim’s network, then sell that access to the highest bidder on underground forums located in the dark web. Later, the winning bidder will often deploy ransomware and/or other financially motivated malware within the victim’s organization, depending on the objectives of their campaign. This discovery presented a great opportunity for us to understand the attribution of IABs. Performing intelligence correlation can help us build a clearer picture of how these disparate threat groups create partnerships and share resources to further enhance their nefarious goals. As we delved into and peeled off each overlapping layer throughout our investigation, it appeared at times that we were merely scratching the surface of such collaborations. There is undoubtedly a veritable cornucopia of threat groups working in cahoots, far beyond those mentioned in this blog. In this first installment, we will document the tip of this iceberg. A more comprehensive set of findings will come in a follow-up piece in the near future. Now, let’s explore what we found! ### It All Begins with Cobalt Strike In April of 2021, we observed the domain trashborting[.]com serving Cobalt Strike Beacons. We also identified multiple Beacons containing differing configuration data that was reaching out to this same domain, during April and August of this year. One such Beacon served from the IP 87.120.37[.]120 had trashborting[.]com specified as the C2 server in its configuration. **IP** **Country** **ASN** **ASN Number** **87.120.37.120** Bulgaria Neterra Ltd AS34224 _Table 1 – Trashborting[.]com IP address_ The domain trashborting[.]com had previously resolved to this IP address, as well as the neighboring IP 87.120.37[.]119. These IP addresses had also hosted two domains with the .us Top Level Domain (TLD): lionarivv[.]us okergeeliw[.]us ### Rediscovering Malicious Spam Infrastructure ----- Each of the aforementioned domains had a mail server and associated MX record, meaning they had the capability to send emails en masse. By examining the WHOIS information for these servers, we discovered that both domains were registered on 2020-09-12 by the email address _georgesdesjardins285[at}xperi[.]link. By digging into the domain registrant information, we found_ that this email address had registered eight additional .us domains on the same date. These domains popped up previously in a Microsoft blog titled: “What tracking an attacker’s email _infrastructure tells us about persistent cybercriminal operations.”_ The Microsoft 365 Defender Threat Intelligence Team found that these servers had been serving [malspam that resulted in varying ransomware payloads, such as Dridex, which we were able to](https://blogs.blackberry.com/en/2021/08/threat-thursday-ta575-dridex) corroborate. **Type** **IOC** **Domain** bertolinnj[.]us **Domain** eixirienhj[.]us **Domain** auswalzenna[.]us **Domain** megafonasgc[.]us **Domain** zensingergy[.]us **Domain** infuuslx[.]us **Domain** mipancepezc[.]us **Domain** kavamennci[.]us _Table 2 - Additional .us domains_ The interlinking relationships between all these domains can be seen in Figure 1 below. ----- _Figure 1 - Malspam distribution_ ### Dridex Malspam Two domains of particular interest to us were kavamennci[.]us and zensingergy[.]us. These were involved in a phishing campaign targeting Australian real estate companies and state government departments in September of 2020, which are evidenced as follows. The first spam-mail was sent from an address coming from the kavamennci[.]us domain, and it appears to target employees at one of the Australia's largest property groups. The mail was titled “Your Transaction was Approved 697169IR54253” and it contained an embedded hyperlink that decoded to “hxxps[:]//mail[.]premiumclube[.]org[.]br/zpsxxla.php.” ----- _Figure 2 - Phishing email targeting employees at one of Australia’s largest property groups_ The second email was directed at an Australian government agency, and titled “Payment _Notification-0782704YX50906.”_ ----- _Figure 3 - Phishing email targeting an Australian Government Agency_ Sent from an address originating from the “zensingergy[.]us” domain, this email contained a similar embedded link: “hxxps[:]//magesty[.]in-expedition[.]com/zxlbw.php.” In addition, the last portion of the embedded malicious links — “zpsxxla.php” and “zxlbw.php” — also appear in the Microsoft blog, and are mentioned as part of a Dridex campaign from September 2020 that was [described by Microsoft as follows:](https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/) “These Dridex campaigns utilized an Emotet loader and initial infrastructure for hosting, allowing _the attackers to conduct a highly modular email campaign that delivered multiple distinct links to_ _compromised domains. These domains employed heavy sandbox evasion and are connected by a_ _series of PHP patterns ending in a small subset of options: zxlbw.php, yymclv.php, zpsxxla.php, or_ _app.php.”_ This is significant because it demonstrates the power of open-source intelligence (OSINT) and threat hunting. Initially, we started off with one domain (trashborting[.]com), which helped us to unravel other threat actors that we will look at in more detail later. Although Dridex is not the target of this paper, it is certainly a noteworthy find to mention. ### Peering Down the Intelligence Rabbit Hole The trashborting.com domain was registered with a ProtonMail email address (ivan.odencov1985[at]protonmail[.]com) and contained Russian WHOIS registrant information: **Type** **IOC** Registrar PDR Ltd. d/b/a PublicDomainRegistry.com Domain Status client delete prohibited client update prohibited client delete prohibited client hold Email Ivan.odencov1985[at]protonmail[.]com (registrant, admin, tech) Name Ivan (registrant, admin, tech) Organization Street ----- City Moscow (registrant, admin, tech) State Moscow (registrant, admin, tech) Postal Code 123066 (registrant, admin, tech) Country RU (registrant, admin, tech) Phone +7.993216690 (registrant, admin, tech) Name Servers ns1.entrydns.net ns2.entrydns.net ns3.entrydns.net ns4.entrydns.net _Table 3 - Trashborting WHOIS information_ This email address was also used to register two additional sister domains on the same date: July [17, 2020. Both had been observed serving Cobalt Strike Beacon.](https://blogs.blackberry.com/en/2021/10/blackberry-shines-spotlight-on-evolving-cobalt-strike-threat-in-new-book) ----- _Figure 4 - Trashborting and sister domains_ In March of 2021, Sophos listed supercombinating[.]com as an indicator of compromise (IOC). ----- _Figure 5 - Sophos MountLocker IOCs_ The MountLocker group is a financially motivated threat group that offers a Ransomware-as-aService (RaaS) model; they have been active since July of 2020. As has become the trend with recent ransomware operators, MountLocker employs double extortion tactics. This means that the malware operators exfiltrate sensitive documents and data from the victim prior to encryption, then threaten to publish said data on the dark web should their ransom demands not be met. [Such attacks typically leverage Cobalt Strike Beacon to both spread laterally and propagate the](https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike) MountLocker ransomware within the victim network. In this instance, this is done via supercombinating[.]com. [Sophos has supposed that the MountLocker group has links to, or has in fact become, the recently](https://www.securitymagazine.com/articles/94954-sophos-identifies-connection-between-mount-locker-and-astro-locker-team-ransomware) emerged AstroLocker group. This is because one of the group’s ransomware binaries has been linked to a support site of AstroLocker. It’s possible that this group is trying to shed any notoriety or ----- baggage that it had garnered through its previous malicious activities. [For additional information, you can check out our blog on MountLocker, which sheds further light](https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates) on affiliate operations and double extortion capabilities. ### MountLocker Activity At this point, we noticed that supercombinating[.]com had also resolved to the IP address _91.92.109[.]174, which itself had hosted the domain mentiononecommon[.]com._ Both domains resolved to this IP in an alternating fashion between April and November of 2020, as illustrated in the image below. ----- _Figure 6 - Domain resolution_ This alternating resolution timeline can be seen below: _Figure 7 - Alternating IP resolution_ So, what does this mean, and where does mentiononecommon[.]com fit into the puzzle? The answer to this question requires a little more background information to paint a clearer picture. Additional OSINT led to us uncover links between mentiononecommon[.]com and the APT group known as StrongPity. Before we discuss those connections, let’s look at who the StrongPity group are, and what they are known for. ### Why Hello There, StrongPity! StrongPity, aka Promethium (Microsoft), is an APT group that has been operational as far back as [2012. It was previously alleged that this group is Turkish state-sponsored, though this is](https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html) unconfirmed. [Their modus operandi has typically been to use watering hole attacks to deliver Trojanized](https://cybersecurity.att.com/blogs/labs-research/newly-identified-strongpity-operations) versions of various commonly used utilities. To accomplish these attacks, a combination of imitation websites and redirects are employed to lure the victim into a false sense of security. [Utilities such as WinRAR, Internet Download Manager, and CCleaner have all been victimized in](https://blogs.blackberry.com/en/2018/10/whack-a-mole-the-impact-of-threat-intelligence-on-adversaries) the past to deliver the group’s malware. [The scope of their activities includes victims based across several continents, as seen in Figure 8](https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html) below. ----- _Figure 8 - Countries targeted by StrongPity_ In June of 2020, Cisco’s Talos Intelligence reported mentiononecommon[.]com as a StrongPity C2 server. The domain also served three files related to StrongPity, one of which was the previously mentioned Trojanized version of the Internet Download Manager utility. **SHA256** **Filename** **c936e01333e3260547a8c319d9cfc1811ba5793e182d0688db679ec2b30644c5** Installer.exe **e843af007ac3f58e26d5427e537cdbddf33d118c79dfed831eee1ffcce474569** SecurityHost.exe **8844d234d9e18e29f01ff8f64db70274c02953276a2cd1a1a05d07e7e1feb55c** SecurityHost.exe _Table 4 - mentiononecommon[.]com StrongPity samples_ Furthermore, the domain mentiononecommon[.]com was registered to the email address timofei66[at]protonmail[.]com, which also has WHOIS registrant information pointing to Russia. While this is far from definitive evidence, it is certainly a notable similarity. **Type** **IOC** WHOIS Server whois.namecheap.com Registrar NameCheap, Inc. ----- Domain Status clientTransferProhibited Email **Timofei66[at]protonmail[.]com (registrant, admin, tech)** Name Timofei Solomin (registrant, admin, tech) Organization Street YU.gagarina, bld. 12/2, appt. 76 (registrant, admin, tech) City Ufa (registrant, admin, tech) State Respublika Bashkortostan (registrant, admin, tech) Postal Code 49875 (registrant, admin, tech) Country RUSSIAN FEDERATION (registrant, admin, tech) Phone 77347382066 (registrant, admin, tech) _Table 5 - mentiononecommon[.]com WHOIS registrant information_ ----- _Figure 9 - mentiononecommon[com] serving StrongPity binaries_ At this point, we started to suspect that MountLocker and StrongPity may have worked together in some capacity. This theory seemed unlikely, as their motivations did not appear to align. Despite the improbability of the hypothesis, we set out to see whether we could prove it, and we stumbled upon yet another curious find. ### Three Groups — Is That All? [Through a tweet from The DFIR Report, we saw that more ransomware was deployed from](https://twitter.com/pmelson/status/1290030989679329280?lang=en) supercombinating[.]com, but it was not MountLocker as we had seen previously. This time, Phobos [ransomware took its place, which we confirmed through the linked Any.Run sandbox report.](https://app.any.run/tasks/0e5e8db2-82fe-43e7-8450-485ecd0057f7/) ----- This raised more questions. Were MountLocker and Phobos possibly related? Were two different ransomware groups operating from the same infrastructure? Was this a delivery system? Was an IAB playing a part in all this? _Figure 10 – Tweet by Paul Melson re: Cobalt Strike Beacon relating to supercombinating[.]com_ _Figure 11 – Tweet by The DFIR Report re: Cobalt Strike Phobos deployment via_ _supercombinating[.]com_ [Phobos is a ransomware variant that was first seen in early 2019. It is thought to be based on the](https://blogs.blackberry.com/en/2021/09/threat-thursday-phobos-ransomware) Dharma ransomware family. Unlike a lot of other ransomware operators that cast for larger “whale”sized organizations, Phobos has been seen angling for small-to-medium-sized organizations [across a variety of industries, with its average ransom payment received being around $54,000 in](https://www.coveware.com/phobos-ransomware-payment) July of 2021. A possible insight as to why the authors chose the name for their ransomware is that Phobos was the god of fear in ancient Greek mythology. Few malware groups are so direct about the feeling they seem to want to instill in their victims ----- ### A Mysterious Fourth Group Emerges This new information presented a bit of a conundrum. If MountLocker owned the infrastructure, then there would be a slim chance of another ransomware operator also working from it, although it has happened before. [Back in June 2020, the Maze threat actor group added stolen files to its leak site. However, upon](https://www.bleepingcomputer.com/news/security/ransomware-gangs-team-up-to-form-extortion-cartel/) [visiting the leak site, the stolen data was actually provided by the LockBit threat actor group. When](https://blogs.blackberry.com/en/2021/08/threat-spotlight-lockbit-2-0-ransomware-takes-on-top-consulting-firm) Bleeping Computer reached out to Maze for more information regarding the implied partnership between them and LockBit, the Maze group replied with the following: "In a few days another group will emerge on our news website, we all see in this cooperation the _way leading to mutual beneficial outcome, for both actor groups and companies. Even more, they_ _use not only our platform to post the data of companies, but also our experience and reputation,_ _building the beneficial and solid future. We treat other groups as our partners, not as our_ _competitors. Organizational questions is [sic] behind every successful business.”_ In several instances, a delay was observed between an initial compromise using Cobalt Strike and further [ransomware being deployed. Based on these factors, we can infer that the infrastructure is](https://twitter.com/pmelson/status/1290037432264601600?s=20) not that of StrongPity, MountLocker, or Phobos, but of a fourth group that has facilitated the operations of the former three. This is either done by providing initial access, or by providing Infrastructure as a Service (IaaS). ### IABs: the Lowdown An IAB performs the first step in the kill chain of many attacks; this is to say they gain access into a victims' network through exploitation, phishing, or other means. _Figure 12 - IAB’s operation workflow_ Once they have established a foothold (i.e., a reliable backdoor into the victim network), they then list their access in underground forums on the dark web, advertising their wares in hopes of finding a prospective buyer. [The price for access ranges from as little as $25, going up to thousands of dollars. Typically, the](https://ke-la.com/kelas-100-over-100-september2020-in-network-access-sales/) more annual revenue that the target organization generates, the higher the price an IAB charges for “access.” ----- Upon successful sale agreement, the winning bidders will generally deploy their malware of choice. This can be anything from ransomware to infostealing malware, and everything in between. We believe that our three threat actors – MountLocker, Phobos and StrongPity, in this instance – sourced their access through these means. ### Additional IAB Infrastructure? We saw two new domains registered on July 21, 2021, both of which resolved to the same IP address of 87.120.37[.]120: ticket-one-two[.]com booking-sales[.]com _Figure 13 - IP resolution_ That is the same IP that trashborting[.]com resolved to, as well as lionarivv[.]us! ----- _Figure 14 - 87.120.37[.]120 reverse resolutions_ Ticket-one-two[.]com has not been used at the time of writing, however its counterpart, bookingsales[.]com, had served one specific item of note; a tiny, 13KB portable executable (PE) file that upon inspection proved to be a shellcode loader. This loader turned out to be loading a shellcode Cobalt Strike DNS stager, which is used to download a Cobalt Strike Beacon via DNS TXT records. ### Taking a Closer Look at the Loader/DNS Stager The shellcode loader expects a specific command-line argument in order to execute properly, which it hashes and then checks against the value 0xB6E35C. Fortunately, we can just patch a comparison and proceed without a match. The file then allocates RWX memory using VirtualAlloc, and then decodes data stored within the binary into memory, using a combination of subtraction and division operations – no special cryptography necessary here. _Figure 15 – Subtraction and division decoding loop_ The resulting data is a shellcode blob, which we can identify based on the initial bytes FC E8 89 00 00 00, a fairly typical opcode sequence for shellcode. ----- _Figure 16 - Resulting shellcode_ Disassembling the shellcode in the disassembly tool IDA, we can immediately identify a new domain that appears to be trying to masquerade as a DNS name-server: _Figure 17 - A new URL attempting to look like a name server_ We can also see what appear to be 4-byte hex values being pushed onto the stack before a call. This is indicative of Windows API import name hashing, a common technique to masquerade the loading of API calls from identification during analysis. This can be seen in Figure 20, where [C99CC96A is pushed onto the stack before a call to ebp.](https://practicalmalwareanalysis.com/2012/04/03/all-about-ebp/) We then see that it performs a DNS query on the URL using DnsQueryA. _Figure 18 - Using DnsQuery_A to query the website’s DNS records_ Once it receives a DNS response, it parses out the TXT Record from the DNS response and checks its length, as shown in Figure 19. ----- _Figure 19 - Extracting the TXT record length and data from the DnsQueryA result_ This behavior is typical of a DNS stager; it pulls down a later stage payload via the DNS TXT records, abusing the DNS protocol in an attempt to be stealthy. This is also why the domain name was set to masquerade as a DNS name server. When we look at the Cobalt Strike Malleable C2 documentation, we can see that the URL above in Figure 17 uses a strikingly similar domain in their example. For that reason, we believe this to be a Cobalt Strike DNS stager that will download a Cobalt Strike Beacon upon successful execution. _Figure 20 – A striking similarity to the Cobalt Strike DNS server example from the developer’s_ _documentation_ ### One More Thing, Before You Go! ----- Now that we ve seen the potential IAB group infrastructure in all its glory, do you notice anything about the IPs discussed here? All the domains mentioned in this paper at one time resolved to IPs that were provided by the same Bulgarian Autonomous System Numbers (ASN), which belongs to Neterra Ltd. This is not to say we believe the threat actor to be Bulgarian, but that all their infrastructure is hosted with one specific company. Furthermore, Neterra isn’t known to be a bulletproof hosting provider; it’s more likely that it’s being abused to facilitate this malicious activity. The fact that all these IPs are on the same ASN helps us bind together the theory that this is in fact all the work of one threat group, underpinning the operation of the groups it sells its access to. _Figure 21 - Bulgarian IP addresses on the same ASN_ ### Finding Beacons in the Dark For those of you interested, here’s a shameless plug for our new book “Finding Beacons in the _Dark: A Guide to Cyber Threat Intelligence,” which the BlackBerry Research & Threat Intelligence_ Team has lovingly crafted over the course of this year. In the book, we demonstrate our Cyber Threat Intelligence (CTI) lifecycle, and show how you can build your own automation system to hunt for threats. In this case, that threat would be the Cobalt Strike Team Server. We also give you an in-depth look at Beacon configuration and their Malleable C2 profiles, and reveal insights, trends, and discoveries from over 48,000 Beacons and 6,000 unique Team Servers. ----- In addition, we show you the power of intelligence correlation that can be gleaned from datasets such as these, including how it can be used to: Build profiles of threat actors Broaden knowledge of existing threat groups Track both ongoing and new threat actor campaigns The end result is that you can then: Provide actionable intelligence to SOC analysis, IR teams and investigators Reduce “alert fatigue” Improve threat detection Fine-tune security solutions and services ### Conclusions As is the case with many cyber investigations in today’s threat landscape, this journey began with the analysis of a Cobalt Strike Beacon and the data contained within its configuration. The presence of a single domain – trashborting[.]com – along with both its current and historical resolution information, led us to uncover links to many different campaigns and a new group that the BlackBerry Research & Intelligence Team named, and continues to track, as Zebra2104. This name stems from the use of initial access services that, as a byproduct, allow for threat actors to “hide in the herd.” One such campaign was the malspam infrastructure previously documented by Microsoft, which was seen to serve an assortment of malware – from ransomware to infostealers – and many more in between. This same infrastructure had also been observed waging a phishing campaign that targeted Australian entities, both in the governmental and private sector, in September of 2020. When we delved deeper, we found two sister domains that led us down further intelligence avenues, to ultimately identifying both a MountLocker and a Phobos intrusion from the same domain. We then identified another domain sharing a past IP resolution, linked to the StrongPity APT group by Talos Intelligence in June of 2020. With three seemingly unrelated threat groups using and sharing overlapping infrastructure, we asked ourselves the question, “What is the most plausible explanation for these peculiar links?” (Especially as these groups’ motives didn’t seem to align.) We concluded that this was not the work of the three groups together, but of a fourth player; an Initial Access Broker we dubbed Zebra2104, which provided the initial access into victim environments. The interlinking web of malicious infrastructure seen throughout this research has shown that, in a manner that mirrors the legitimate business world, cybercrime groups are in some cases run not unlike multinational organizations. They create partnerships and alliances to help advance their ----- goals. If anything, it is safe to assume that these threat group business partnerships are going to become even more prevalent in future. To counter this, it is only via the tracking, documenting, and sharing of intelligence in relation to these groups (and many more) that the wider security community can monitor and defend against them. This cooperation will continue to further our collective understanding of how cybercriminals operate. If the bad guys work together, so should we! ## About The BlackBerry Research & Intelligence Team The BlackBerry Research & Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve. Back -----