An Initial Access Broker (IAB) dubbed the “Zebra2104” was discovered by the security researchers linked to three threat groups involved in phishing scams and ransomware activities. Zebra2104 is found to be providing entry points to ransomware threat groups such as Phobos, StrongPity APT, and MountLocker. The entry points were also provided to several compromised organisations in Turkey and Australia.
Turkish healthcare firms and other smaller companies have been targeted by the StrongPity APT, according to researchers. Furthermore, the access broker is also believed to have a lot of workforces or have set up large and hidden traps all over the internet.
It is also believed that MountLocker and StrongPity can be two threat groups that are working together.
The researchers said that it might be impossible for ransomware groups to share their resources, but the groups mentioned are found to be enabled altogether by an Initial Access Broker (IAB) called Zebra2104.
As the analysts conducted their study, they have discovered a path that revealed many ransomware attacks and an APT command-and-control (C2) server. The infrastructure of the IAB Zebra2104 was also found during the research. IABs like the Zebra2104 typically intrude on a victim’s network and sell access to the highest bidder within underground forums in the dark web. The bidder who won the access will deploy ransomware inside the victim’s network to run any malicious campaign.
The research, which began in April this year, has initially discovered an odd behaviour from domains on servers serving malware spam that caused a variation of ransomware payloads, including Dridex, that the researchers have documented.
The identified misbehaving domains were involved in phishing campaigns against Australian state government departments and real estate companies back in September 2020. Microsoft’s reports helped the researchers trace the phishing campaigns to a compromised incident from a MountLocker intrusion.
Another security researcher believed that the MountLocker group is linked to the new AstroLocker group because one of its binaries is also linked to a support site owned by AstroLocker. They added that the many technical links between the groups could be a way to hide its earned traces of malicious activities.
Conclusion
Researchers describe the interlinking web of threat groups as them mirroring the business landscape like running multinational enterprises. These groups create alliances to further their malicious goals and are assumed to be a prevalent tactic for threat groups in the future.
