Threats Feed|Mango Sandstorm (Mercury)|Last Updated 05/08/2023|AuthorCertfa Radar|Publish Date07/04/2023

MERCURY and DEV-1084's Destructive Cyber Operations Against Cloud and On-Premises Environments

  • Actor Motivations: Espionage,Extortion,Financial Gain,Sabotage
  • Attack Vectors: Vulnerability Exploitation,Backdoor,Ransomware
  • Attack Complexity: Very High
  • Threat Risk: High Impact/High Probability

Threat Overview

MERCURY and DEV-1084, associated with the Iranian government, orchestrated a destructive operation targeting on-premises and cloud environments under the guise of a standard ransomware campaign. The attack chain involved exploiting unpatched vulnerabilities for initial access, extensive reconnaissance, persistence establishment, and lateral movement within the network. High-privilege credentials were used to create widespread destruction of resources. The attackers also breached Azure AD environments to cause further damage and data loss. They conducted extensive mailbox operations and sent emails internally and externally impersonating high-ranking employees.

Extracted IOCs

  • vatacloud[.]com
  • pairing.rport[.]io
  • webstore4tech.uaenorth.cloudapp.azure[.]com
  • 016967de76382c674b3a1cb912eb85ff642b2ebfe4e107fc576065f172c6ef80
  • 0dde13e3cd2dcda522eeb565b6374c97b3ed4aa6b8ed9ff9b6224ea97bf2a584
  • 3059844c102595172bb7f644c9a70d77a198a11f1e84539792408b1f19954e18
  • 36c71ce7cd38733eb66f32a8c56acd635680197f01585c5a2a846cc3cb0a8fe2
  • 3e59d36faf2d5e6edf1d881e2043a46055c63b7c68cc08d44cc7fc1b364157eb
  • 3fba459d589cd513d2478fb4ae7c4efd6aa09e62bc3ff249a19f9a233e922061
  • 486eb80171c086f4d184423ed7e79303ad7276834e5e5529b199f8ae5fc661f2
  • 6485a68ba1d335d16a1d158976e0cbfad7ab15b51de00c381d240e8b0c479f77
  • 786bd97172ec0cef88f6ea08e3cb482fd15cf28ab22d37792e3a86fa3c27c975
  • 887ae654d69ac5ccb8835e565a449d7716d6c4747dc2fbff1f59f11723244202
  • 8dd9773c24703e803903e7a5faa088c2df9a4b509549e768f29276ef86ef96ae
  • 9107be160f7b639d68fe3670de58ed254d81de6aec9a41ad58d91aa814a247ff
  • ab179112caadaf138241c43c4a4dccc2e3c67aeb96a151e432cfbafa18a4b436
  • afd16b9ad57eb9c26c8ae347c379c8e2b82361c7bdff5b189659674d5614854c
  • b155c5b3a8f4c89ba74c5c5c03d029e4202510d0cbb5e152995ab91e6809bcd7
  • b9cf785b81778e2b805752c7b839737416e3af54f64f1e40e008142e382df0c4
  • f1edff0fb16a64ac5a2ce64579d0d76920c37a0fd183d4c19219ca990f50effc
  • 104[.]194.222.219
  • 141[.]95.22.153
  • 146[.]70.106.89
  • 192[.]169.6.88
  • 192[.]52.166.191
  • 192[.]52.167.209
  • 193[.]200.16.3
  • 194[.]61.121.86
  • 45[.]56.162.111
  • 45[.]86.230.20
  • 46[.]249.35.243
  • hxxps://pairing.rport[.]io/qmlc2wx
download

Tip: 32 related IOCs (11 IP, 3 domain, 1 URL, 0 email, 17 file hash) to this threat have been found.

Overlaps

UnknownState-Sponsored Cyberattacks Target Israeli Academia and Government Sectors

Source: Israel National Cyber Directorate - March 2024

Detection (one case): vatacloud[.]com

MuddyWaterMuddyWater Upgrades: The Emergence of PhonyC2 Framework

Source: Deep Instinct - June 2023

Detection (three cases): 194[.]61.121.86, 45[.]86.230.20, 46[.]249.35.243

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.