I’m under attack
Contact us
I’m under attack
CONTACT US

Lazarus Group’s Mata Framework Leveraged To Deploy TFlower Ransomware

Sygnia: Double extortion ransomware attack – threat actor leveraged an undocumented variant of MATA to distribute and execute the TFlower ransomware.

Amitai Ben Shushan, Noam Lifshitz, Amnon Kushnir, Martin Korman and Boaz Wasserman
1 August 2021
CONTENTS

Over the past few years, North Korea has turned its offensive cyber operations into a major source of income. On February 17, 2021, the US Department of Justice (DoJ) has indicted additional three North Korean (DPRK) military Reconnaissance General Bureau (RGB) personnel, with participating in a cyber-attacks that has allegedly  included destructive cyber-attacks and the theft and extortion of over USD1.3bn.

The charges filed relate to Lazarus Group’s (also known as Hidden Cobra) long-running cyber apparatus, financial theft and extortion, including multiple extortion schemes, WannaCry malware and the cyber-attack on Sony Pictures. A key technical component associated with Lazarus is the MATA malware framework, an advanced cross-platform malware framework, which was reported by Kaspersky on July 22, 2020, and by Netlab on December 19, 2019.

In a recent double extortion ransomware attack investigated by Sygnia, the threat actor leveraged a new and so far undocumented variant of MATA. This MATA variant was used by the threat actor to distribute and execute the TFlower ransomware.

When put together, the Netlab and Kaspersky publications along with the recent Sygnia findings, the new research indicates a connection or collaboration between the Lazarus Group and TFlower. While the nature of this collaboration is not yet clear and needs to be further validated, it may reflect the continues effort by North Korea to scale its cyber extortion business, as a major source  for currency generation, including by collaborating with additional crime entities, creating such entities, “outsourcing” of capabilities, or selling of offensive tools to other groups.

This report details the connection between the North Korean MATA framework and TFlower, as well as the anatomy of the MATA backdoor and a wider threat research which revealed over 200 MATA malware framework C2 certificates leveraged since May of 2019 across over 150 IP addresses. The report also includes recommendation on detection and defending against MATA framework attacks.

The key findings in this report

1. TFlower leverages or has ties to the MATA malware framework

The MATA backdoor was leveraged to deploy the TFlower ransomware. The threat group consistently referred to themselves as the “TFlower group”.

2. The MATA malware framework is active and widespread

Since at least May of 2019, MATA operators have continuously utilized new servers, with over 150 IPs linked to the frameworks’ C2. The analysis indicates that the group has possibly deployed over 150 command and control servers over time, with the latest one identified on February 4, 2021.

3. The threat actor is highly capable and implements systematic detection evasion techniques

Throughout the attack, the threat actor leveraged multiple tools including the MATA backdoor to systematically clear forensic evidence and attempt to evade detection by identifying and tampering with security products.

Anatomy of the mata backdoor and infrastructure

The Backdoor

The MATA backdoor consists of three file components: .EXE, .DLL and .DAT files, deployed in the “C:\Windows\System32” directory. All file names and hashes are unique per infected host indicating automatically generated polymorphic malware. The components are as follows:

1. Initial loader (EXE) — The malware is initially loaded by a .EXE file, which upon execution injects the .DLL loader component into an ‘svchost.exe’ process and modifies the LSA Security Package registry key to achieve persistence.

2. Loader (DLL) — The loader decrypts and executes the payload component stored in the .DAT file. It is loaded by ‘lsass.exe’ upon reboot to achieve persistence.

3. Payload (DAT) — The payload is an encrypted binary .DAT file which implements the backdoor functionality.

Once deployed, the backdoor provides the threat actor with remote code execution capability on infected machines via C2 servers. Additional functionality includes screen capture and network traffic tunneling.

Execution flow

The backdoor is deployed by executing the initial loader with the .DLL and .DAT file paths as arguments, injecting the .DLL file into ‘svchost.exe’ and loading the .DAT payload. The initial loader’s file name consists of 5 alphabetic characters, randomly generated on each of the machines (‘[A-Za-z]{5}\.exe’).

Upon execution, the initial loader modifies the following registry value in order to achieve persistency: “HKLM\SYSTEM\ CurrentControlSet\Control\Lsa\Security Packages”. The value modified is part of a Windows API called ‘Security Support Provider’ (SSP), which is used to extend the Windows authentication mechanism. After adding a .DLL stored in System32 to the ‘Security Packages’ value, ‘lsass.exe’ will automatically load the .DLL component on system startup or the next time the AddSecurityPackage Windows API function is called.

The file name of the .DLL consists of six alphabetic characters, the middle two being “nm” matching the following pattern: ‘[A-Za-z]{2}nm[A-Za-z]{2}\.dll’. Similar to the .EXE component, the name is unique on each of the infected machines. The .DLL itself implements limited functionality, and its main purpose is decrypting, loading and executing the final payload stored in the .DAT file.

The final payload stored in the .DAT file is a fully functional backdoor, establishing a command and control channel to the threat actors’ servers. Similarly to the other components, its name was unique on each of the infected machines and followed a specific pattern: ‘srms-[A-Za-z]{3}[0-9]{4,5}\.dat’.

Execution Flow: From initial execution to persistence mechanism.

Command and control infrastructure

Each of the samples identified by the Sygnia Incident Response team attempted to communicate to three command and control servers over SSL using port 443. The C2 servers were found in an encrypted binary configuration blob hardcoded into the .DAT payload. Each of the servers hosted a unique certificate, self-signed by the threat actor. Although the certificates on each of the servers were unique, they all shared similar technical features:

  1. Randomly generated, long Common Name.
  2. The usage of three capital letters followed by ‘Co .Ltd’ in the Organization (O) and Organization Unit (OU) fields of both issuer and subject.
  3. Certificate serial number – 1000.
  4. The “Validity: Not Before” timestamps of certificates tied to the same sample, are in close time proximity to one another. The “Validity: Not Before” timestamps represent the start of the certificate validity period.
Certificate Details: Example of malicious MATA C2 certificate
Certificate Details: Example of malicious MATA C2 certificate

The certificate “Validity: Not Before” timestamp is especially interesting, because the samples were first deployed in the network just several hours after the “Validity: Not Before” timestamp of their corresponding certificates. This could indicate that C2 servers are dynamically deployed for a specific operation, and the certificates are issued accordingly.

To further validate the ties between the MATA framework and the suspicious certificates, we attempted to tie other confirmed command and control servers to similar certificates. Out of 20 IPs found across 8 samples found in online repositories, 18 were confirmed to have historically hosted certificates with similar patterns.

MATA Samples: Relations between MATA samples and the identified certificates
MATA Samples: Relations between MATA samples and the identified certificates

Using the unique certificate patterns, Sygnia identified over 200 certificates and over 130 IP addresses affiliated with the MATA framework, starting as early as 2019.

Further analysis identified that as of June, 2020 the threat actor slightly modified the self-signed certificates pattern. Specifically, the following was changed:

  1. Organization (O) and Organization Unit (OU) fields of both issuer and subject were changed to five random uppercase alphabetical characters instead of three.
  2. Legitimate Common Name values such as ‘google.com’, ‘qq.com’ and ‘reddit.com’ were used instead of the random strings previously used.

At the time of publication, the latest certificates found were issued on February 4, 2021. The large number of certificates and C2 servers deployed over such a prolonged period of time suggests a well-resourced group with robust operational capabilities, likely attacking multiple targets simultaneously.

Relation to the mata malware framework and attribution

The backdoor and its infrastructure share significant attributes with the MATA malware framework:

  • Over 95% of the functions in the .DLL loader component identified by Sygnia match functions in the MATA malware framework loader identified by Kaspersky, indicating they are closely related.
  • The .DAT payload component identified by Sygnia writes its encrypted configuration to a registry key with a naming pattern of “HKLM\Software\Microsoft\[A-Za-z]{3}Net”. The orchestrator instances identified by Kaspersky save their configuration in a registry key with the same naming convention. The unencrypted configuration contains similar data to that mentioned in the Kaspersky report.
  • The same SSL certificate pattern described above was also identified in SSL certificates served by 21 out of 31 MATA framework C2 IP addresses found within MATA framework malware samples reported by Netlab and Kaspersky.
  • Certificates for IPs embedded in samples identified by Netlab and Kaspersky were issued within a short timeframe. This indicates the C2 servers for each of the samples were deployed together. The same behavior was observed in the samples identified by Sygnia.

Several other vendors, including Kaspersky and Netlab, linked the MATA framework to the Lazarus group, a threat actor affiliated with the North Korean government.

The MATA certificates “Validity: Not Before” timestamps are potentially indicative of the threat actor’s work week, Monday to Saturday, as no certificates were issued on Sunday. Furthermore, no certificates were issued between 16:00 to 22:00 UTC, correlating with nighttime in UTC +9 or UTC +8 time zones. The vast majority of certificates were issued during working hours in the abovementioned time zones, suggesting the threat actor is most likely operating from East-Asia.

A histogram of certificates’ “Validity: Not Before” timestamps: showing the total number of certificates issued by hour in the day in a UTC+9 time zone.

Tflower ties to the MATA malware framework

The TFlower ransomware campaign was covered by several technology news websites between September and November of 2019. However, since then very little information has been made public about the ransomware group or its operations.

In a recent TFlower ransomware case investigated by Sygnia, the threat actors had already removed all instances of the ransomware executable and it could not be recovered for reverse engineering. Nevertheless, forensic analysis performed identified several technical indications linking the encryption with the TFlower group with high certainty.

Analysis of the encrypted machines identified that the ransomware executable was deployed and executed using the MATA backdoor. Specifically, the path to the ransomware executable was found within the MATA backdoor memory space on encrypted machines. This raises the possibility that the Lazarus Group, which is largely affiliated with the North Korean government, is either the group behind TFlower or has some level of collaboration with it.

Alternatively, and although there are significant similarities to the TFlower ransomware, it is still possible that the threat actor was only masquerading as the TFlower group.

The ransomware encrypted files throughout the filesystem, without appending any special file extension. The “*TFlower” string was prepended to the encrypted files.
The ransom note left on the machines affected by the ransomware was named “!Notice!.txt”. The ransom note itself is identical to ransom notes identified in previous TFlower attacks.

Defending against mata framework attacks

The research into MATA framework operations was done primarily in the service of preventing future attacks. Our understanding of the threat actors behind these malicious operations reveals a large dynamic operation which can prove difficult to contain or easily detect.

The following are specific tactical recommendations which compliment more general security measures that can protect against these types of an attacks:

  • Configure Process Protected Light (PPL) protection to prevent non-digitally signed LSA plugins to be loaded into the lsass.exe process.
  • Proactively hunt for MATA malware framework IOCs and TTPs within the network, based on the MITRE ATT&CK breakdown and IOC provided below, with emphasis on the following:
  • SSL traffic containing a self-signed certificate with the attributes described in the report.
  • Outbound network communications towards the internet originating from the lsass.exe process
  • Monitor for disabling of security products and log source tampering.

Indicators of compromise

Registry values (regular expressions)

– Registry Key: “HKLM\\Software\\Microsoft\\[A-Za-z]{3}Net”

  • Registry Value Name: (default)
  • Registry Value Type: “REG_BINARY”
  • Registry Value Data: encrypted binary data

– Registry Key: “HKLM\\System\\CurrentControlSet\\control\\LSA”

  • Registry Value Name: “Security Packages”
  • Registry Value Type: “REG_MULTI_SZ”
  • Registry Value Data: “[A-Za-z]{2}nm[A-Za-z]{2}”

File names (regular expressions)

– .EXE file component – “C:\\Windows\\System32\\[A-Za-z]{5}\.exe”

  • Highly susceptible to false positives

– .DLL file component – “C:\\Windows\\System32\\[A-Za-z]{2}nm[A-Za-z]{2}\.dll”

– .DAT file component – “C:\\Windows\\System32\\srms\-[A-Za-z]{3}\d+\.dat”

Files referenced in the report (md5)

  • cef99063e85af8b065de0ffa9d26cb03
  • 6de65fc57a4428ad7e262e980a7f6cc7
  • 8910bdaaa6d3d40e9f60523d3a34f914
  • bea49839390e4f1eb3cb38d0fcaf897e
  • 80c0efb9e129f7f9b05a783df6959812
  • 403ad5ef66f3932e548e29e1b6a2cb4f
  • f05437d510287448325bac98a1378de1
  • 22a968beda8a033eb31ae175b7e0a937

C2 server certificates

Search:

 IPCommon Name “Validity: Not Before” Timestamp Organization Org. Unit Serial  SHA1
198.180.198.6vurrsaw.io2019-05-08T14:47:45ZOVL Co. LtdIDQ Co. Ltd10004fddb38848d0a3043d173653ee5d65a034fa5261
64.188.21.141hnhxuapx.com2019-05-08T15:02:01ZWRK Co. LtdSVA Co. Ltd10004e8c2bbdac96d4df6555df6f219e2a19e4d63046
96.44.130.126hcsqwnya.com2019-05-08T15:04:25ZDKT Co. LtdMAO Co. Ltd100064b628db142ee03dc99f498bc3de017dd1f96ace
173.44.48.241qtwxcvh.net2019-05-08T15:06:18ZKIJ Co. LtdHVO Co. Ltd100090a6731fcc1bf18eb47db4a2b8e09a1a4157ea27
103.63.2.209uwmujaweipw.org2019-05-08T15:13:25ZNPP Co. LtdJKW Co. Ltd100061ebfbf45dd7360811b8fd1be367cd714d3bf1b3
180.235.135.216bkhboekbadgl.com2019-05-08T15:15:22ZFRK Co. LtdOET Co. Ltd100091d4c3ed4336b4898be1825f8769356e1d94042c
104.143.37.87ojpgynfdl.com2019-05-08T15:17:38ZQYZ Co. LtdTFJ Co. Ltd1000e9f88241ead0a454c5405de92071f5b4cb3e36e9
103.63.2.211uprdhgfk.org2019-05-08T23:34:51ZMFO Co. LtdRRJ Co. Ltd1000c1b5e79e754de08d680beeb5cacee9603c62b677
103.63.2.184zgvjwjuhvfwdcjme.xyz2019-05-08T23:36:37ZKMT Co. LtdMZX Co. Ltd100078cb2ff0073f15c6f70f8fb5c2aa6360b9a3e958
103.214.147.40birtukgzz.io2019-05-11T00:10:59ZBMC Co. LtdEJV Co. Ltd10009b3efb423d54fc96e8b5565262ffc5dbda0e72fe
23.227.196.5psldvwtsnzvfb.org2019-05-11T00:12:03ZZID Co. LtdDAZ Co. Ltd1000b4042f03686336d130527aea3d4e8e66f1c29131
46.21.153.87owxdawjfqueu.xyz2019-05-11T00:12:27ZRZF Co. LtdWSR Co. Ltd10000a3c2caa5332916025311cc7bd8eabd7b8dcb4f6
66.70.153.86loerteademmexwga.xyz2019-05-11T00:12:49ZFHE Co. LtdIII Co. Ltd1000ac9645de8cfc41c88bf313833f9933480f0cf69f
23.227.199.53isqpeydiqi.io2019-05-18T06:27:03ZWSA Co. LtdVNT Co. Ltd10006ee218365ec9ff17eb0cdb460e050d8c612244c7
23.254.119.12kepktvwdzlqogsj.io2019-05-18T06:27:21ZAVW Co. LtdWIN Co. Ltd1000b138f782e23bc07d239005cd9685441657ae3406
209.90.234.34bnpnfvydxpw.xyz2019-05-18T06:27:40ZKOK Co. LtdAAN Co. Ltd1000e9321bdc979ae55a60e677c9ea8e0e17f0e722de
104.219.237.202tpvccdrqlwft.io2019-06-10T00:24:51ZMGA Co. LtdBTH Co. Ltd10008384997d8a807c34a15a81c3eeb58560de2816b0
107.172.57.13nolrfot.net2019-06-10T13:45:34ZKTB Co. LtdIIS Co. Ltd1000fde0767ca94148a1beaf3e3184b919631f38b5c9
108.177.235.110doywvaaqdhmtvm.io2019-06-13T08:10:38ZSCB Co. LtdKUA Co. Ltd10007faf0d0f46ea2698b88daea588775b744fd95cd4
23.95.67.143cshveloxce.xyz2019-07-01T03:09:46ZBUR Co. LtdVGA Co. Ltd10009f71d3a47cba2dacff5da07e60177d9e0b54439e
84.234.96.130coejlawmj.net2019-07-01T03:10:19ZINK Co. LtdTRK Co. Ltd100045f2465cc4d8157e41c487dd8e8b0122e132032c
172.93.201.204vflwshpmrha.com2019-07-01T03:10:42ZYWX Co. LtdMFA Co. Ltd10007c1ce4cb7776cad28500630d814e08619b665c66
103.214.147.139ogzphnvhgqfpqmlm.org2019-07-02T00:22:01ZJWA Co. LtdOHC Co. Ltd1000bfde0d8d8c1303b6cc661a6bc269fd222292d170
64.188.19.117gchcboujclol.xyz2019-07-30T06:58:25ZLHL Co. LtdYTF Co. Ltd1000fb2f3ffd2ac88dd62876159d155ba717c139cf11
37.72.175.179ojtkkwtzjggvz.xyz2019-07-30T06:58:47ZEJW Co. LtdRYT Co. Ltd1000471e268f24b938c8bdaa6479696066c435b14ceb
23.81.246.179gcjxswezjbdy.io2019-07-30T07:02:19ZXHQ Co. LtdOWZ Co. Ltd1000c39fa61ef4210f6726fb2b8f775baa3efe655c67
149.255.35.15jgybtvupucgvyjo.com2019-07-31T06:22:39ZRBJ Co. LtdPIL Co. Ltd1000eb847b373aa9284a2207800bf3b0c7a4a4ed999c
104.143.37.55ssmdtwssyz.xyz2019-07-31T06:32:31ZLVV Co. LtdZQU Co. Ltd100045f62d44f95a2b520b9542209c9394678de084f1
107.172.210.172paodrrdwyyfj.org2019-08-01T04:33:32ZPVP Co. LtdQIR Co. Ltd100066209d6585aa2ad80b71a20309b19f5f0f2f102b
45.122.138.130tejghhnxpbppafs.net2019-08-06T07:45:16ZCCO Co. LtdHFQ Co. Ltd1000ed96ea65fc7d34ed0a782788382e167bc7123d14
172.81.130.214grlixnjkvtdtnvsc.io2019-08-06T07:45:38ZMYD Co. LtdXOR Co. Ltd100015c96db7785d5e6866e2dc041b6ce98f136c47b6
104.143.37.54izddauvlslqm.net2019-08-07T08:00:13ZAIZ Co. LtdQZA Co. Ltd1000a64b42eefc9b08ac06b5fb40ec4a3a8a76800c3f
23.106.223.194qgcrjrsxs.net2019-08-07T08:15:14ZGNL Co. LtdUPF Co. Ltd10005360a98e4282da4206d35e840df8cf33cd9e965f
167.114.56.231mgrvnwtaqrzsdrv.org2019-08-08T01:19:52ZOVL Co. LtdGGJ Co. Ltd10007c08dc40e773bc4b8cc9b407777769822c20dfed
107.172.83.139ctrbxoxyh.io2019-08-08T01:24:20ZSDO Co. LtdCIB Co. Ltd10000b189512af2b498fac0bdce31c386d2b6c55fc97
216.45.54.11mwqvqgquzknal.com2019-08-08T01:24:47ZSBY Co. LtdRET Co. Ltd10001d5f886442d231b10fe68894d74bec4bfdcdfe5f
193.29.187.46krcasfshnmwu.io2019-08-09T13:44:14ZFIY Co. LtdMRT Co. Ltd1000c7137530011eb2d0fcaba4f14ba695e4b9c65f25
104.227.244.140gklkvcefc.xyz2019-08-10T02:11:10ZTIU Co. LtdCGP Co. Ltd1000d44c7ed99abd47db577fbfd10d8018b6301f22a2
111.90.151.30wuonxoqii.xyz2019-08-10T02:24:38ZHFQ Co. LtdBXJ Co. Ltd1000f84213fd940f019505e58a79218b9a17543fa3e4
103.16.229.232lymhmczmdsbxsryi.io2019-08-23T13:20:06ZXLP Co. LtdCTB Co. Ltd1000cad779915537cfed7c37abf5b143be793c9db6f2
185.136.163.171zaqxdbmudwzbl.xyz2019-08-24T03:53:29ZEYF Co. LtdUFF Co. Ltd10005d0dc50f102bc9ced23e05f53b4b5e83f7dcdb60
54.38.11.132zcclzrwtysvclql.com2019-08-26T02:27:33ZCSJ Co. LtdWKN Co. Ltd100055207654884899dece889e452697492e66a2664f
51.38.234.8, 103.16.229.233, 37.72.175.135eavqdrkdt.net2019-08-30T03:46:47ZAYT Co. LtdDCI Co. Ltd1000caec7c0a802e4de75a671327a9a68a2a7e55936d
23.227.199.21, 95.174.65.244qwxniwspl.io2019-09-03T00:56:01ZPVP Co. LtdNEN Co. Ltd1000a4463133c2ec834d92f513c9724afdf15b6003dd
23.227.196.116kchinrxificfl.xyz2019-09-20T09:31:27ZBMB Co. LtdRLC Co. Ltd10008730613623c457bb19f72acc27b06b509658367d
74.121.190.121qxyyyexemohemmil.com2019-09-20T13:43:28ZZZC Co. LtdUOH Co. Ltd10003ce1f8ace1a954a28d9ad7c45624cbab78dd4ce1
192.210.213.178mevgtruvd.com2019-09-20T13:47:08ZEML Co. LtdPKM Co. Ltd1000febb999755a880203e8452fd5ba57d9ae68f6604
69.61.74.29nkirlyzy.io2019-09-30T00:38:09ZLLN Co. LtdLYG Co. Ltd1000d18ff190c769cf2bcf32a5b0237af02fdc2d646d
172.93.189.77yduyyoxu.io2020-02-12T00:09:54ZTJB Co. LtdBKQ Co. Ltd10000d5cab6893e98032518d7faf962197daf4cd00e6
69.12.84.100pqzajmdqhv.com2020-02-19T11:04:18ZHLR Co. LtdIVP Co. Ltd1000249d865fe438695d5872191e17c4bbd48af1e2a9
108.177.235.217xvoomesesmxiysfs.io2020-02-19T11:36:19ZDWV Co. LtdLZW Co. Ltd100019b6ad2fdf309c1090c772e8e245a92abd7317e7
104.168.62.33ceagmjgpkkoohis.io2020-02-19T12:46:59ZDRU Co. LtdFUN Co. Ltd10003e7fdd91198b48f0eae86f51ab845e7974dd454e
216.189.145.107lzmaahdnkcy.net2020-02-19T12:47:19ZWGE Co. LtdUOH Co. Ltd1000399040a20e3891f1332e82e7912087402e005466
192.169.6.12mxiiemkadyx.xyz2020-02-19T12:48:00ZISQ Co. LtdLXK Co. Ltd10004ffbc2b68bd9eaeb7d3fd5c41a01eb10e3520977
104.219.237.210ijlzzyuqtwvgzm.io2020-02-19T12:57:15ZMZN Co. LtdMDP Co. Ltd10008660990c02e30933a6484e6aab83a4bf4ef02503
149.255.35.25zeyftccfvta.xyz2020-02-20T02:10:13ZGAK Co. LtdLWI Co. Ltd1000a7fcd5d5c2c57fd8a63f202a190aef60abd2ccbf
172.93.184.62cncvphssdmswy.io2020-02-20T02:30:56ZFTP Co. LtdUZX Co. Ltd100088093735c7abdbeef298862a0dd33dcca10baa4f
23.227.199.69hjnusrcxfsx.net2020-02-20T02:37:14ZDYH Co. LtdBGK Co. Ltd1000cae2fe70b7f98e4b3039298426d7d7528a7ecc8e
104.232.71.7oaekzlcss.io2020-02-20T02:59:24ZMKT Co. LtdJJH Co. Ltd1000a151b18c72f9833e8acae989e287ac787b89926a
216.189.145.108msutdedouhrvlipw.com2020-02-20T05:46:46ZHUY Co. LtdRQR Co. Ltd1000304261dcb04ce0fdd936b2da689d7393abf67154
111.90.148.22zxaqjnoq.com2020-02-20T05:57:14ZYRX Co. LtdKFT Co. Ltd100014772f979839e3edab5cae9b7de4ac93d6fef9c8
23.108.57.232rbhllcdq.com2020-02-20T07:10:56ZINK Co. LtdMDW Co. Ltd1000c768b27d57e658efd6e7ccef988e57334289acf1
37.72.175.196sonhmvsyqtj.com2020-02-21T02:38:37ZJPF Co. LtdRIO Co. Ltd10006e55d351c22a077ce3057da3b64b453fae650b1a
107.175.127.234vtjmxqzyjdnfr.com2020-02-21T02:39:04ZEVQ Co. LtdKQA Co. Ltd10008fdf10dd4f32dd546594343f339d37eb41ccc3a0
185.62.56.107puqzedk.org2020-02-24T01:00:54ZHGJ Co. LtdRRB Co. Ltd1000b6aff0910dae32ccd83363f314fc9eddccacdd6d
172.93.220.108mlntnbeikyak.io2020-03-04T06:59:53ZZCO Co. LtdGNF Co. Ltd100073e580ef0d8bcc4b9102894d66b902a9a52ed30c
209.127.18.108kjjceey.com2020-03-20T00:14:15ZIHV Co. LtdDRU Co. Ltd100076f753e777c8ed6ee3de12fd4a6be829f3ad1bd2
172.93.220.56xvilcubqyxvpb.net2020-03-20T00:28:03ZGUW Co. LtdVSV Co. Ltd10008901a2243f441855864852c9ffc5693ad4973043
23.82.141.172yfbfgjwuxj.xyz2020-03-20T00:39:22ZUKE Co. LtdDTE Co. Ltd1000acc8172dea21a5684f0cdfa48974c70648936402
111.90.146.128wswlmnrhscgj.com2020-03-20T06:59:12ZHKQ Co. LtdSCD Co. Ltd100002c646ec8b88dcdc381b3ce1449fd19ee58f4202
185.62.58.207bvwaewachdyzpb.org2020-03-20T23:48:59ZVRZ Co. LtdJPO Co. Ltd1000e602553c2ac94f007afce32aef47e5b3fcc94177
67.43.239.146uxusbtddbwgsz.org2020-03-21T05:44:21ZJLR Co. LtdZHL Co. Ltd10002cbbf4952add12302caab5be0840f8471b06f2e6
104.143.36.33zyfaywwrmxup.org2020-03-23T00:11:04ZGRE Co. LtdFLD Co. Ltd1000927eea1b33cfe8c00695130698db09f8845bf483
172.93.188.47adehikjeb.net2020-04-09T01:39:35ZFVL Co. LtdRJS Co. Ltd1000e12c332b4f0e11b0de8e80e993d5e02b9c2bfc84
185.62.56.106blrewrclad.net2020-04-09T08:23:39ZFYV Co. LtdSCR Co. Ltd100091e4a8f0176a0b2bd4fa116d599ae34997592f16
67.43.239.181duiywos.xyz2020-04-09T08:32:31ZHFD Co. LtdOGA Co. Ltd1000827b83175168959baa5abbe2ab28e0107309f00b
103.214.147.39rcvhlergjktdrh.io2020-04-10T08:04:25ZGNS Co. LtdCAO Co. Ltd1000128b37f254e92e2d91f9a7b53cfbeed5428ccd1e
172.93.188.62gqaoxbpozicjt.xyz2020-04-11T00:05:22ZTVH Co. LtdFNX Co. Ltd10000547a8718765b8e8338dd0ea7a6d943b2f38c232
107.175.172.129wcdqdwte.com2020-04-20T05:51:18ZGTN Co. LtdAYN Co. Ltd10008b41da1b919fafcbb6003ff1fdb69dcd6061ff05
104.217.163.61adokqkcduaguzmq.org2020-04-20T08:45:48ZIYX Co. LtdLVC Co. Ltd100099a79ad26ac0c9a96c8ae0153d2e9d0e67c7048d
37.72.168.228obptezoyre.com2020-04-20T09:50:22ZPRY Co. LtdSNJ Co. Ltd100092c50351b2fa5982f2a080aac80624f7f0254836
69.30.240.60huqgniblte.com2020-04-21T06:27:17ZWIP Co. LtdEHG Co. Ltd100074e2bc16b2eb69669ef202a3afecd8338e59e5db
64.188.26.168kudmgivpvuejmgog.io2020-04-21T06:35:15ZNBM Co. LtdUBE Co. Ltd1000f651db5f19216d2a036f7c400b386f0bfa36c24c
172.93.189.176empttzk.org2020-05-06T00:25:34ZDCT Co. LtdBBJ Co. Ltd1000c001c42aba2d922ca044d43a0b081e0ab72a2a52
185.62.56.47nrkzktvgeoergf.net2020-05-26T00:06:31ZEXO Co. LtdHTD Co. Ltd10007b66a217fcf61df2fe30a944feca704bdeea0775
104.200.67.160efqajqygqvo.io2020-05-26T00:06:48ZIRL Co. LtdYAZ Co. Ltd10001290181d055156147eeb179457e15001003786bb
103.214.147.138pqvrtrikotcz.net2020-05-26T00:38:29ZSBG Co. LtdKJT Co. Ltd1000fe6615d6e40d45524ff32534c45c32890931945d
96.9.210.193jbqkxbwfqpmxf.net2020-05-26T23:38:08ZKRW Co. LtdGST Co. Ltd1000169584fe26f50c8b0f37924da283c94066d9236c
172.93.165.49ykkywgzfjpf.io2020-06-08T06:27:46ZLIO Co. LtdVLP Co. Ltd100019fd3b8a96452ba9a1ca1a41eaa1df4d4c38d4fb
107.172.30.141mlgemilyaaxztct.net2020-06-08T23:44:21ZCOF Co. LtdJUK Co. Ltd100095038b25dcb22160a39d1c889f3d9cf3e4fbe9e7
23.81.246.107ffjdolvvxagjqn.com2020-06-08T23:53:35ZWNQ Co. LtdZIZ Co. Ltd10001899971acdc871d1161824b69cfb565f0f7e15de
172.87.222.6znjpebeqb.org2020-06-09T01:25:22ZXAD Co. LtdUXJ Co. Ltd1000994bd84833827c17754a922957c349f3316bb616
104.223.79.148w3.org2020-06-18T06:44:44ZIMH Co. LtdYZQ Co. Ltd100038fce40e0e6c028ac905a47123fcd5c0f4bbe1a2
104.232.98.4schema.org2020-06-18T06:47:10ZXPK Co. LtdOQO Co. Ltd10002b3e68a625a88fffb50bc08083580cf07df1d7b1
108.170.13.91launchpadlibrarian.net2020-06-18T06:47:42ZSRR Co. LtdYWY Co. Ltd10007993ab274ba47b8a312859761ca5bc156a985c29
192.111.149.132google.com2020-06-18T07:15:58ZZETIK Co. LtdJBXMI Co. Ltd10008fab75e9930a614b80ae83c99c048b6ed14f886d
192.227.248.173tmall.com2020-06-18T07:17:02ZBWJWM Co. LtdUMDGH Co. Ltd1000a3f893a132566f84d43a65c864d8b753ea973ac8
172.93.187.203qq.com2020-06-18T07:17:37ZHSWMV Co. LtdAXWPM Co. Ltd1000486431e2d9024c44fde0cbcbd50e579395945f1e
23.82.141.50baidu.com2020-06-18T23:53:21ZSQDLR Co. LtdSLZJO Co. Ltd1000e46da2ddb96d4d712f0837595b114ea315d49ac4
173.209.43.7sohu.com2020-06-19T00:17:43ZOIBDB Co. LtdAUZIC Co. Ltd100057bbceafe392c51480ecdc8854d1a177da0798c7
172.93.165.195login.tmall.com2020-06-19T03:30:12ZRKVLG Co. LtdUYNCH Co. Ltd1000320dd14d32cba4ce25521a83912cbe78f78d5542
104.232.98.18a104.232.98.18.deploy.static.akamaitechnologies.com2020-07-11T02:31:34ZGTB Co. LtdUXQ Co. Ltd1000471756a047748e931e0c21060014e885763e7643
149.255.35.19a149.255.35.19.deploy.static.akamaitechnologies.com2020-07-11T02:35:04ZCOM Co. LtdRPW Co. Ltd1000eb64df15cb2ca5e6fca6f3e809920a21a3115be0
111.90.146.88a111.90.146.88.deploy.static.akamaitechnologies.com2020-07-11T02:38:27ZIMN Co. LtdTSB Co. Ltd10004d1a23a6d25dbb4d37dcf379103a0922a1059383
104.227.235.12ubuntu.mirror.digitalpacific.com.au2020-07-13T06:15:19ZCEV Co. LtdHIE Co. Ltd10003c822a64fdef9fd200dc4ad7446e73d9225b6658
108.177.235.244mirror.aarnet.edu.au2020-07-13T06:16:44ZHEJ Co. LtdCXD Co. Ltd100083cfb13531f9a8a81ea96070fde9d8792586b2e2
192.210.213.111mirror.waia.asn.au2020-07-13T06:18:31ZLSA Co. LtdQTL Co. Ltd100019a02f2453b15df76ecd1e798b6530809e9ae158
63.141.234.106live.com2020-07-30T01:56:36ZYQHXF Co. LtdRFMQT Co. Ltd1000b2ee5568161b0876ab280a267eb51450037b7fd2
45.128.156.27reddit.com2020-07-30T01:57:33ZAADTE Co. LtdOPGDQ Co. Ltd100088773b940710b631a44435e7dd56d3cc6296c1d5
101.99.91.178ubuntu.melbourneitmirror.net2020-07-30T02:07:09ZDFJ Co. LtdNYB Co. Ltd1000dbe39ba1d753f1a0a027db968533b864c98c9cd9
173.254.204.68ubuntu.mirror.datamossa.io2020-07-30T02:08:19ZGQW Co. LtdGUI Co. Ltd10009df88128e675307d2741adb0a1b128b03beee886
111.90.138.218netflix.com2020-08-06T09:02:26ZVFWBR Co. LtdRTXGR Co. Ltd100003532ad6ed73f731f0380afc1854bdffe2880844
89.45.4.247xinhuanet.com2020-08-06T09:04:00ZNUAXE Co. LtdJDOTY Co. Ltd1000519ad7e0cea23556b598fcee6d333d835da001c1
104.232.98.19vk.com2020-08-06T09:04:53ZLCMBK Co. LtdAMJUR Co. Ltd10009e984ad780434af458223347620a185c99dc89f6
193.34.167.10okezone.com2020-08-06T10:24:30ZRCVKL Co. LtdBWRNV Co. Ltd1000f2070d2c6aedc6ac0b5ae8e1a151d2a69b5823ac
107.173.28.8csdn.net2020-08-06T10:25:30ZOKCOV Co. LtdJRVNW Co. Ltd100006dbfb0ba7f155e40d73ece9d8a76e26da210e27
204.12.225.21myshopify.com2020-08-06T10:26:26ZOOWSC Co. LtdDTJHT Co. Ltd10008c73fd5aa03b925988227d70c67a64745fa60f3f
103.15.28.243instagram.com2020-08-10T14:31:12ZHUTEV Co. LtdHSSYX Co. Ltd1000f60cb35c79241267f1eac4bbc20a22cc92e0cecb
64.188.26.168mirror.intergrid.com.au2020-08-17T07:14:05ZLMT Co. LtdYEJ Co. Ltd1000412903b69697ad696b8789e2a2c2156f349d7a61
69.30.240.60mirror.internode.on.net2020-08-17T07:16:12ZJEO Co. LtdXXL Co. Ltd1000fd4904bfd24de6da6be7c04c1f5dd7f7e96a43c8
144.217.41.76alipay.com2020-08-17T08:44:46ZJYRPP Co. LtdSESTG Co. Ltd1000eca6dbf704151283a21aaaa1f6fa9e4990012e13
103.16.229.232mirror.launtel.net.au2020-08-20T12:18:09ZAYG Co. LtdZYH Co. Ltd10000e32a40bb83fec79614b07ddc4a1d1143be761db
107.152.213.117mirror.netspace.net.au2020-08-21T00:45:04ZLDV Co. LtdYGO Co. Ltd100019d8925e334d4116f4e93a0f424a1a1907f67f59
104.232.98.17mirror.overthewire.com.au2020-08-21T03:34:54ZFAM Co. LtdEAW Co. Ltd10001aab7a644e2de9b545e526eee7accc2d5e12c76b
172.93.178.108mirror.realcompute.io2020-08-21T03:36:10ZGIF Co. LtdMVR Co. Ltd100091cc94e09af78085095bdf0d6fee78e24976150e
172.87.222.3yqeifkv.io2020-08-31T06:51:03ZTBD Co. LtdSBQ Co. Ltd1000cc2f66f648430deb60a11a1c74c45a6ee8349907
23.94.139.92yqpbbyoize.com2020-08-31T06:51:58ZVFQ Co. LtdURM Co. Ltd100079d255f36da1ef71a3669e4ba6eb3067d4a9edb0
172.241.27.117bsdfjujierqeeog.org2020-08-31T06:52:34ZOLG Co. LtdIDP Co. Ltd1000b869ae4b3f11c9e7dd93a82af99849490d926d91
96.8.118.110aliexpress.com2020-09-07T06:24:17ZCFCIU Co. LtdYRQEK Co. Ltd1000c5818365ccd628750e692f599b6d9adb99a3c389
199.188.103.123qnadslfndgo.com2020-09-11T00:16:33ZASC Co. LtdUFJ Co. Ltd10007e413302ef862b5c417b4bf73533b8a55dea19ba
172.93.165.23stackoverflow.com2020-09-16T07:02:58ZUIBGK Co. LtdMPNCO Co. Ltd1000700cd13b53c8bb66fd51eb4c504c8c48807955e4
23.106.160.40zhanqi.tv2020-09-17T00:13:55ZCZOWK Co. LtdNCQAQ Co. Ltd10005fa1dd26de5449f4160519b690344e5ac150405f
199.188.103.115twitch.tv2020-09-17T00:16:33ZYZQVY Co. LtdNKNHX Co. Ltd10009443af2bb8c281edc3d4fbe8c3df3ee91820e8ea
67.43.239.213panda.tv2020-09-17T00:18:04ZLRWUT Co. LtdUASTD Co. Ltd1000c67dca446f3dd6fb43367cda562b5d1e1e632125
149.56.200.203force.com2020-09-17T00:27:18ZPFEOW Co. LtdRVAFN Co. Ltd1000bb53ba1e90f27896a6e021a7b82551d50994b84f
103.15.29.59adjvwucfivllsv.org2020-09-28T23:50:56ZLWR Co. LtdFRN Co. Ltd10008118c448070336884760c9393e39fd7c937b154a
172.93.165.19livejasmin.com2020-09-29T00:18:03ZYKLEC Co. LtdWZDSA Co. Ltd100046eea848d03a4faed9e07b534edee6117eb7f3c4
103.214.147.209chaturbate.com2020-11-03T02:55:39ZSIVDX Co. LtdEZDPF Co. Ltd100022994c02534f74b442f6ca02c94ae1fe003737ea
54.39.204.190adobe.com2020-11-26T00:27:14ZSGSPC Co. LtdOLBRG Co. Ltd10008309da5cdafbaa578ea7356c429c9d6c974996c6
101.99.91.247apple.com2020-11-26T00:28:28ZDJNOC Co. LtdMVTDV Co. Ltd10009083fab3637a60404bc97c04de6bcf6990ea0a25
104.168.148.216msn.com2020-12-14T08:35:15ZEMJYR Co. LtdZJVKY Co. Ltd10006656150ffdca1a739972c3833eb2dbefddb9a917
185.45.193.30sogou.com2020-12-14T09:52:49ZNTTQF Co. LtdQUMVO Co. Ltd10005cd0febfea57a9d4a8462ba3b1c45965529ce8f7
172.93.165.155wordpress.com2020-12-17T10:29:45ZAVGPZ Co. LtdBTEJQ Co. Ltd1000bbedc28ef631eef2d339f06e13910afe23f60d90
107.174.240.14yy.com2021-01-25T03:03:22ZMZXEQ Co. LtdPCKPK Co. Ltd1000f9acf669ccf7a443d1df57e441fdcb50df624c13
172.241.27.207whatsapp.com2021-01-25T06:55:17ZTXJBZ Co. LtdVFHDF Co. Ltd10002dce7f5ae09d1315ae01b4ba9476bb9b1a649b9a
67.219.150.3medium.com2021-01-26T01:31:50ZOYZQK Co. LtdBWVOU Co. Ltd1000882ce7cd5405cafab60aff1230a103f7d43c9940
192.169.6.139amazonaws.com2021-01-26T03:07:12ZATDHB Co. LtdNXHQN Co. Ltd10005ff8e100f48ed75cc0a8afe8498007e6894aea6a
74.222.26.164imgur.com2021-01-28T06:41:09ZJCAFF Co. LtdQMOPZ Co. Ltd100060852dcc1bbbd9741544290bc071a3e36298c5bf
193.34.167.183bbc.com2021-01-28T06:51:11ZMQFPB Co. LtdWHPAW Co. Ltd1000a07d545c850c2897537bb4f1afec99840b1bd8b5
63.141.224.90imdb.com2021-01-28T08:07:54ZHPCIS Co. LtdXUNQT Co. Ltd1000f18d9d4670b051c264518346cbb48d2a3c90e54d
3.239.189.175ettoday.net2021-01-28T08:08:54ZZYSOL Co. LtdJZQOD Co. Ltd1000d16a7642d2519fcd1030b9b3a4403b178e7487f7
54.39.204.190, 23.94.37.55cnn.com2021-01-29T07:33:48ZHTMSC Co. LtdXHIGN Co. Ltd1000e02961445c52cb9a2aa0a09e9a452bc10c79d4ae
144.168.224.235freepik.com2021-01-30T10:43:37ZZBGRS Co. LtdUCVED Co. Ltd1000875370a44ec1e53430bf035080b7075f5d0bce54
194.15.112.193spotify.com2021-01-30T10:54:39ZORXOQ Co. LtdAFKIE Co. Ltd100064cf462b1ff8cf77143ee0c25ac3049a2c0a986e
172.245.86.29walmart.com2021-01-30T10:55:40ZNPTWC Co. LtdRZFVM Co. Ltd1000796068fe57f59d2d25322cabc1e43329eafa3ae4
107.174.20.79etsy.com2021-02-03T06:56:01ZYEDHB Co. LtdVKQIE Co. Ltd1000c9ed6bcd81b64a9c92574e94686c76b3cbf2ec64
23.227.202.105ixlwyqfdrdcyift.com2021-02-04T08:37:41ZHDQ Co. LtdQFP Co. Ltd100024c6b220ea7a2b5de587ed37f0b19186b8b24a33
104.243.143.78jrwmngzk.net2021-02-04T08:39:41ZTJY Co. LtdTEZ Co. Ltd10000a25f29bd5d6639057ea5e4548d4629d736a0451
Showing 1 to 158 of 158 entries

Mitre att&ck breakdown

1. Persistence

  • T1053.005 – Scheduled Task/Job: Scheduled Task
  • T1547.005 – Boot or Logon Autostart Execution: Security Support Provider

2. Defense Evasion

  • T1036.005 – Masquerading: Match Legitimate Name or Location
  • T1055.001 – Process Injection: Dynamic-link Library Injection  
  • T1070.001 – Indicator Removal on Host: Clear Windows Event Logs
  • T1070.003 – Indicator Removal on Host: Clear Command History
  • T1070.004 – Indicator Removal on Host: File Deletion
  • T1112 – Modify Registry
  • T1562 – Impair Defenses

3. Credential Access

  • T1552.001 – Unsecured Credentials: Credentials in Files

4. Lateral Movement

  • T1021.001 – Remote Services: Remote Desktop Protocol
  • T1021.002 – Remote Services: SMB/Windows Admin Shares
  • T1021.004 – Remote Services: SSH

5. Collection

  • T1113 – Screen Capture

6. Command and Control

  • T1008 – Fallback Channels
  • T1572 – Protocol Tunneling
  • T1573.001 – Encrypted Channel: Symmetric Cryptography

7. Impact

  • T1486 – Data Encrypted for Impact

RELATED ARTICLES

Blog

7 Cyber Attacks That Kept the Industry Talking in 2021

A journey back through 2021 – What we’ve learned from 5 major cyber attacks that took place in 2021 as well as 2 new threat actors identified by Sygnia.

Read more
Threat Reports and Advisories

Elephant Beetle: Uncovering an Organized Financial-Theft Operation

Sygnia’s IR team has identified the Elephant Beetle threat group, an organized, significant financial-theft operation threatening global enterprises. 

Read more
Threat Reports and Advisories

Praying Mantis An Advanced Memory Resident Attack

Sygnia researchers identified an advanced threat actor targeting high profile US organizations, using nation-state attack methods, and operating in-memory.

Read more
subsctibe decor
Want to get in touch?
Contact us