Edition #16: April 2021

TM

IronNet:
Threat Intelligence Brief
Top Observed Threats from IronNet Collective Defense Community
March 1 – March 31, 2021
 SIGNIFICANT COMMUNITY FINIDINGS

Significant
Community
Findings
This month, IronDefense deployed across IronDome participants’ environments identified
a number of network behavioral anomalies that were rated as Suspicious or Malicious by
IronNet and/or participant analysts.

map-pin C2:
83 IoCs

unlock-alt Access
18 IoCs

109
Total IoCs Reported

Recon
1 IoC
exclamation-circle Other:
7 IoCs

Threat Intelligence Report | Top Observed Threats from IronNet Collective Defense Community 2
 SIGNIFICANT COMMUNITY FINIDINGS

Recent Indicators of Compromise

Domain/IP Rating Analyst Insight
The presence of this domain may be indicative of the
ark[.]xyz SUSPICIOUS AMZ tool, an unwanted Chrome extension.

This domain is associated with ad redirect software.

In the traffic in question, the user was redirected to
multiple sites associated with ad redirect software,
window98originalmain[.]live SUSPICIOUS including basque[.]buzz, window98originalmain[.]live,
and comppiwareresfai[.]tk. There were no downloads
observed, but the techniques used were indicative of
malspam. We recommend blocking traffic to this domain.

This domain provides email content in a phishing

ofertaexpressa[.]com SUSPICIOUS attempt involving password changes. We recommend
blocking the domain.

This IoC is related to an adware injector which injects

amads[.]xyz SUSPICIOUS a malicious PHP script into vulnerable WordPress
installations.

This domain supplies an unknown script within certain

ecommerce sites and may indicate the ability to conduct
feignoccasionedmound[.]com SUSPICIOUS
credit card skimming attacks. We recommend blocking
the domain.
This domain serves as a clickbait ad-redirector. The
domain presents a JavaScript to the client browser that
ifadulakvefin[.]tk SUSPICIOUS then redirects the user to a site that encourages the user
to click on a prize which could download riskware. We
recommend blocking the domain.
This is a flagged phishing site. If seen in your network,
root464providecatch[.]live SUSPICIOUS
inspect the traffic and ensure the domain is blocked.
This is a Bitcoin phishing domain. If seen in your network,
investigate the traffic and clients for potential loss of
ark-btc[.]net SUSPICIOUS
personally identifiable information (PII) and currency and
block the domain.
This domain may install software claiming to improve
the user’s system. This could impose risks to the
avanquest[.]com SUSPICIOUS organization’s IT assets. If seen in your network, block
the domain and investigate for unwanted traffic or
software installed on clients’ computers.
This is a TerraClicks-related redirect. If seen in your
poolunbelievably[.]com SUSPICIOUS network, investigate the surrounding traffic for delivery of
unwanted applications.

Threat Intelligence Report | Top Observed Threats from IronNet Collective Defense Community 3
 THREAT RULES DEVELOPED

Threat Rules
Developed
Every month, IronNet’s expert threat analysts create threat intelligence rules (TIRs) based on
significant community findings from IronDome, malware analysis, threat research, or other
methods to ensure timely detection of malicious behavior targeting an enterprise or other
IronDome community participants. These TIRs are continually distributed to each IronDefense
deployment as they are created, ensuring that customers receive the most up-to-date
detection capabilities.

13,299
Threat Intel Rules
Developed This Month

202,774
Threat Intel Rules
Developed to Date

Threat Intelligence Report | Top Observed Threats from IronNet Collective Defense Community 4
 THREAT RULES DEVELOPED

This month’s threat intelligence rules include signatures looking for

Indicators of Compromise identified by the IronNet Threat Research
team as associated with phishing or malware delivery. IronNet threat
intelligence analysts also routinely monitor research distributed by the wider
cybersecurity community and ensure rules are created for documented
indicators. Some examples of this month’s research include indicators
associated with the following threats and campaigns:

Ĕ Command and control (C2) Ĕ C2 domains for the FormBook

domains associated with ZBot malware
spyware
Ĕ C2 domains for the Zeus Panda
Ĕ Indicators associated with Trojan, which steals banking
Nobelium malware credentials and other sensitive
information
Ĕ Additional LokiBot indicators
Ĕ Malware delivery domains for the
Ĕ IoCs surrounding Hafnium’s AgentTesla, Dridex, and Wacatac
exploitation of Microsoft malwares
Exchange
Ĕ C2 domains related to the
Ĕ IoCs surrounding other hacking NjRat malware, a backdoor
groups involved in the Microsoft RAT (Remote Access Trojan)
Exchange exploitation that may attempt to steal
user credentials and other
Ĕ C2 domains for the AZORult information
malware
Ĕ Malware delivery domains for
Ĕ C2 domains for the Nanocore Gafgyt and Dridex
malware

Ĕ IoCs surrounding a new variant

of Gafgyt that may be connected
to the Necro botnet group

Threat Intelligence Report | Top Observed Threats from IronNet Collective Defense Community 5
 IN THE IRONDOME

Rating alerts
diminishes
“alert fatigue”
for your SOC.
!

This Month
in the IronDome
The IronDefense network detection and response
solution detects behavior-based anomalies as follows:
Ĕ The NetFlow or enriched network metadata (“IronFlows”) collected by IronNet sensors
is analyzed by a participating enterprise’s IronDefense instance before being sent to
IronDome for higher order analysis and correlation with other IronDome members.

Ĕ IronNet’s IronDome Collective Defense platform delivers a unique ability to correlate

patterns of behavior across IronDome participants within an enterprise’s business
ecosystem, industry sector, or region.

This ability to analyze and correlate seemingly unrelated instances is critical for identifying
sophisticated attackers who leverage varying infrastructures to hide their activity from
existing cyber defenses.

On the following page is a snapshot of this month’s alerts.

Threat Intelligence Report | Top Observed Threats from IronNet Collective Defense Community 6
 IN THE IRONDOME

Monthly Alert Snapshot

220B
Flows Ingested
Network data or NetFlow is sent to IronDefense for processing
before being sent to IronDome for behavioral correlation with other
IronDome participants.

914K
Alerts Detected
IronDefense identifies potential cyber threats in your environment by
processing participants’ logs with big data analytics, an expert system
where analysts rate the severity of the alerts, and behavioral models.

IronNet Expert System

IronNet’s proprietary Expert System combines analytic results with computational rules based
on our unique tradecraft experience. This essentially automates Tier 1 SOC analysis to enhance
scoring precision.

2,905
High Severity Alerts
Validated by IronNet’s Expert System,
these results are communicated
to IronDefense and IronDome
participants.

exclamation-circle
822
Correlated Alerts
Severe alerts that have been
found in more than one
IronDome participant’s network.

244 578
Found between Found among
two participants more than two
participants

Threat Intelligence Report | Top Observed Threats from IronNet Collective Defense Community 7
 TRACKING INDUSTRY THREATS

Tracking
Industry Threats

Hafnium Targets Exchange Zero-day Vulnerabilities

On-premise instances of Microsoft Exchange have been inspecting systems based in the U.S.
identified as active exploits in a series of attacks utilizing a
collection of zero-day vulnerabilities. The four vulnerabilities Though Hafnium is believed to have been exploiting
affect unpatched, on-premise Exchange servers from these flaws since January 6th, Microsoft did not publicly
version 2013 to 2019, excluding Exchange Online (Office acknowledge the vulnerabilities until March 2nd.
365). These exploits and corresponding attacks have Microsoft released several security updates to address the
been attributed to Chinese advanced persistent threat vulnerabilities, recommending administrators install the
(APT) Hafnium. Historically, this group has targeted U.S. patches immediately. Since these vulnerabilities became
entities with the goal of exfiltrating information from well-known, numerous threat actors beyond Hafnium have
several industry sectors, including law firms, infectious also been conducting attacks: a total of five distinct hacking
disease researchers, higher education institutions, defense groups have been identified as exploiting these critical flaws
contractors, non-governmental organizations (NGO), and in Microsoft’s email software.
policy think tanks. Although Hafnium originated in China,
it primarily operates from leased virtual private servers The threat actors exploit these vulnerabilities as part of an

(VPS) in the U.S. to conceal its true location, exploiting the attack chain, in which they bypass authentication to secure

legal restriction that prohibits intelligence agencies from access to an Exchange server and then create a web shell to

Threat Intelligence Report | Top Observed Threats from IronNet Collective Defense Community 8
 TRACKING INDUSTRY THREATS

take control of the system and execute remote commands. arbitrary file write vulnerabilities (CVE-2021-26858 and
In this process, threat actors secure access to an Exchange CVE-2021-27065) to deploy web shells to the compromised
Server either by utilizing stolen credentials or by exploiting host in order to control the server remotely. The web shells
CVE-2021-26855, a Server Side Request Forgery (SSRF) (ASPX files) allow threat actors to steal data and conduct
vulnerability that allows a remote attacker to send arbitrary further operations on the compromised system. Following
HTTP requests to the Exchange Server and authenticate this, the attackers perform a wide range of post-exploitation
to it. After this initial attack, the attacker has bypassed activities, such as dumping LSASS process memory using
authentication and is able to steal the full contents of Procdump, using 7-Zip to compress stolen data into ZIP
multiple user mailboxes. As part of the attack chain, the files for exfiltration, exporting mailbox data through the
threat actor then exploits other vulnerabilities. This includes use of Exchange PowerShell snap-ins, and using PowerCat
CVE-2021-26857, which enables the attacker to run code as (downloaded from GitHub) to open a connection to a remote
SYSTEM on the Exchange Server and post-authentication server.

Further Details Emerge About Microsoft Exchange

Zero-day Exploit

More information has surfaced about the Microsoft state-sponsored APT Hafnium. Around February 28th,
Exchange attacks and the timeline of exploits. Although researchers noticed that the vulnerabilities were being
Microsoft first stated that the attacks were “limited and used by other threat groups, starting with Tick and followed
targeted,” reports of much broader mass exploitation closely by LuckyMouse, Calypso, and Winnti Group.
by multiple threat groups continue to emerge. It has After Microsoft publicly acknowledged the exploits and
been confirmed that various threat actors exploited the released patches to plug the zero-day flaws on March 2nd,
vulnerabilities prior to Microsoft’s release of the patch. mass exploitation expanded as multiple additional threat
This means that some Exchange users who deployed the actors sought to capitalize on the vulnerabilities before
patches on the same day Microsoft released them may organizations patched their servers.
have already been compromised by threat actors other than
the China-based groups. All of the new reports raise the EXPLOITERS AND TARGET ENTITIES
question of how so many hacking groups had access to the
same information before it was made public. Researchers reported that at least ten different APT groups
have used the Exchange vulnerabilities (or hijacked the
GENERAL TIMELINE webshells dropped by other groups) to compromise email
servers. There are four known APTs that are believed to
The first in-the-wild exploitation of the vulnerabilities have begun exploits prior to the patch release:
was reported by Volexity to have begun on January 3rd,
2021. Microsoft was alerted to these vulnerabilities by Ĕ Tick, whose main goal seems to be intellectual property
the security testing firm DEVCORE two days later. Other and classified information theft, compromised the web
security firms began reporting active exploitation of server of an IT company based in East Asia.
the Microsoft Exchange vulnerabilities in late January/
early February, attributing the activity to the Chinese

Threat Intelligence Report | Top Observed Threats from IronNet Collective Defense Community 9
 TRACKING INDUSTRY THREATS

Ĕ LuckyMouse (aka. APT 27 or Emissary Panda) “Opera” Cobalt Strike activity targeting around 650 servers
compromised the server of a governmental entity in the in the U.S. and Europe.

Middle East.
IIS backdoors, in which webshells were used to install IIS
backdoors on at least four servers located in Asia and
Ĕ Calypso compromised the servers of governmental
South America.
entities in the Middle East and South America, targeting
additional servers of government organizations and
MAIN CONCERNS
private companies in Africa, Asia, and Europe in the
following days. Right now, the hacking appears to be focused on cyber
espionage, but evidence of cybercriminal exploitation is
Ĕ Winnti Group (aka. APT 41 or Barium) compromised emerging. On March 11th, Microsoft reported that there
servers of an oil company and construction equipment is a new family of ransomware that encrypts computer
files, known as DearCry, that is being deployed after the
organization based in East Asia.
initial compromise of Exchange servers. Kryptos Logic

There are several known APTs who targeted vulnerable reported on March 12th that it discovered almost 7,000

servers after the patch release, including: exposed webshells initially installed by Hafnium that are
now extremely vulnerable to the deployment of DearCry.
Ĕ CactusPete (aka. Tonto Team), who compromised the If these webshells are not removed, the compromised
servers remain open to intrusion by both the hackers who
servers of a procurement company and a software
initially installed the backdoors and other threat actors who
development/cybersecurity consulting company based
piggyback off of Hafnium.
in Eastern Europe.

It is very uncommon for so many different cyber espionage

Ĕ Mikroceen (aka. Vicious Panda), who compromised the groups to have access to the same zero-day exploits before
server of a utility company in Central Asia. they are made public, raising questions of how so many
hacking groups were able to exploit these vulnerabilities
Ĕ DLTMiner, a group linked to a known cryptomining prior to Microsoft’s acknowledgment of them. There is a
campaign who deployed PowerShell downloaders on possibility that it happened to be simultaneous discovery

multiple email servers that were previously targeted or that China sold access to the exploit to distract from its
overall objectives. There is evidence that, in some cases,
using the Exchange vulnerabilities.
the webshells were dropped into Offline Address Book

There are also clusters of malicious activity that are so far (OAB) configuration files and appeared to be accessed

unattributed to a specific APT, including: by more than one group, possibly indicating some kind
of collusion. However, there is wide speculation that the
A new cluster of activity dubbed Websiic, in which seven information was leaked from Microsoft itself or one of its
servers of private companies (IT, telecommunications, and partners. Microsoft is currently investigating possible ties
engineering) in Asia and a governmental entity in Eastern between one of its partner security firms and the attack
Europe were targeted prior to the patch release. code leak, as the exploit tools deployed in the attacks are
allegedly similar to PoC (proof of concept) code that was
ShadowPad activity, in which modular backdoor privately distributed by Microsoft to vendors.
Shadowpad was dropped by an attacker to compromise the
servers of a software development company in East Asia
and a real estate company in the Middle East.

Threat Intelligence Report | Top Observed Threats from IronNet Collective Defense Community 10
 TRACKING INDUSTRY THREATS

SilverFish

Swiss cyber threat intelligence company PRODAFT weekdays between 8:00 and 20:00 UTC, the group follows
recently released a report outlining its discovery of the a strong behavioral pattern that includes enumerating
sophisticated cyber espionage group SilverFish. The group domain controllers and trusted domains, displaying
is responsible for cyber attacks on over 4,720 targets, memory resident credentials and admin user accounts, and
including government entities, defense contractors, aviation launching scripts for post-exploit reconnaissance and data
manufacturers, global IT providers, and Fortune 500 exfiltration activities.
companies. Known to have strong ties to the SolarWinds
attack and the Russian cybercriminal group EvilCorp, WHAT MAKES SILVERFISH UNIQUE?
SilverFish targets institutions in the U.S. and E.U., focusing
specifically on critical infrastructure and organizations with When looking inside the C2 server, the PTI team discovered
a market value of over $100 million. that the main dashboard of the SilverFish C2 panel
featured a section labeled “Active Teams” involving
HOW DID PRODAFT DISCOVER SILVERFISH? comments (in both English and Russian) on victim records
entered by different user groups (e.g., Team 301, 302,
After detecting a domain (databasegalore[.]com) related 303, and 304). This indicates that SilverFish adopted a
to the SolarWinds IoCs released by FireEye, PRODAFT’s team-based workflow model and triage system akin to
threat intelligence (PTI) team was able to create a unique project management applications like JIRA. SilverFish
fingerprint profile for the subject server. The PTI team is also unique because its C2 server had a hierarchical
then ran global scans of the IPv4 range to find a matching structure, meaning each team is assigned new victims by
fingerprint, and within 12 hours, it identified over 200 an administrator (or has victims auto-assigned to them by
hosts with similar characteristics. After filtering out the system based on the current workload) and can only
false positives, the team detected and gained access to access the victims allocated to them. It is quite uncommon
SilverFish’s C2 server, through which it was able to acquire to see accounts with differing permission levels managing
significant information about the group’s modus operandi, a C2 server.
victims, and command execution.
SilverFish also designed an unprecedented malware
WHAT ARE THE GROUP’S GOALS AND MODUS detection sandbox formed by real enterprise victims. This
OPERANDI? enabled the group to test out its malicious payloads on
live victim servers with various enterprise antivirus and
SilverFish’s executed tasks indicate that the group’s main endpoint detection and response (EDR) solutions, including
objectives are covert network reconnaissance and data Sophos Antivirus, Norton Security, and CrowdStrike Falcon
exfiltration. SilverFish attackers use a variety of software Sensor, further supporting the high success rate of its
and scripts for both initial and post-exploitation activities, attacks. Tracking the detection rate of its payloads in real
making extensive use of publicly available red teaming time, SilverFish has used this system to periodically test its
tools, like Empire, Cobalt Strike, and Mimikatz, as well as malicious payloads on over 6,000 victim devices, scripts,
specially-crafted PowerShell, JavaScript, and HTA (HTML and implants.
application) files. With most of its activity occurring on

Threat Intelligence Report | Top Observed Threats from IronNet Collective Defense Community 11
 TRACKING INDUSTRY THREATS

Updates to SilverFish and Microsoft Exchange

Vulnerabilities

SILVERFISH backdoor in the same location: /owa/auth/babydraco.

aspx. Shadowserver’s honeypots witnessed numerous
Since the release of PRODAFT’s March 18th report on the compromised hosts with the Babydraco backdoor
sophisticated cyber-espionage group SilverFish, IronNet’s conducting identical activity: a Microsoft PowerShell script
Threat Analysis and Emerging Threats and Detection runs and grabs the file krebsonsecurity.exe from the IP
Research (ETDR) teams have joined together to further address 159.65.136[.]128. The file installs a root certificate,
analyze the malware used in these cyberattacks. Our teams modifies the system registry, and instructs Windows
were able to retrieve malicious post-exploitation scripts Defender not to scan the file. The Krebsonsecurity file will
and observed some of the GET requests to adversary then attempt to open an encrypted connection between
infrastructure, which included host information such as the compromised Exchange server and the IP address
username, domain, and IP addresses, encoded in base64. mentioned above, sending a small amount of traffic to it
The Threat Analysis and ETDR teams are working to unpack that gradually grows by the minute.
the malicious executable in order to understand adversary
targets and post-exploitation objectives, and identify new The motivations of the cybercriminals behind the brian[.]
IoCs. krebsonsecurity[.]top domain are unclear so far, but the
domain itself is known to have recent connections to
MICROSOFT EXCHANGE other cybercrime activity. Security expert Brian Krebs from
KrebsOnSecurity has stated that he is not the one behind
The Shadowserver Foundation, a nonprofit security these attacks. This is far from the first time that malware
organization, has recently released a report stating has abused his name or website trademarks.
it has discovered 21,248 different Exchange servers
that appear to be compromised by a backdoor and are
communicating with the domain brian[.]krebsonsecurity[.]
top. Using a combination of internet scans and honeypots,
Shadowserver searched for attacks on Microsoft Exchange
servers, keeping a close eye on hundreds of unique
backdoor variants that cybercrime groups have employed
to gain control of unpatched Exchange servers. On
March 26th, Shadowserver identified attempts to install
a new backdoor, known as Babydraco, on compromised
systems. In each case, the hacked hosts deployed the

Threat Intelligence Report | Top Observed Threats from IronNet Collective Defense Community 12
 INTRODUCTION

Why Collective
Defense?
IronDome enables us to proactively defend
against emerging cyber threats by uniquely
delivering machine speed anomaly detection
and event analysis across industry peers
and other relevant sectors.”
— CISO, Industry-Leading North American Energy Company

This report features threat findings, analysis, and research shared across
IronDome, the industry’s first Collective Defense platform for sharing network
behavior analytics and intelligence detected between and across sectors, states,
and nations so IronDome participants can work together in near-real-time to
collaboratively defend against sophisticated cyber adversaries.

Information in this document is subject to change without notice. The software described in this document is furnished under a license
agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those agreements. No part
of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including
photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of IronNet Cybersecurity, Inc.

© Copyright 2021. IronNet Cybersecurity, Inc. All rights reserved.

Threat Intelligence Report | Top Observed Threats from IronNet Collective Defense Community 13
Your Partner in
Collective Defense
IronNet’s goal is to strengthen Collective Defense
by detecting unknown threats using behavior-
based analysis, rating these threats to reduce “alert
fatigue,” and sharing them within the IronDome
ecosystem to empower SOC teams across the
community to prioritize and accelerate response,
and defend better, together.

By working together in this way, we can raise

the bar on cybersecurity defense at your enterprise
or organization, across sectors at large, and on
behalf of nations.

Learn more about

Collective Defense
in our eBook.
IronNet.com

A C C E S S T H E B O O K arrow-right

TM

© Copyright 2021. IronNet Cybersecurity, Inc. All rights reserved.