Threats Feed|Mint Sandstorm (Phosphorus)|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date01/06/2022

Stealth in the System: PHOSPHORUS Exploits Exchange Server in Infrastructure Sector Attack

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Vulnerability Exploitation,Downloader,Trojan
  • Attack Complexity: High
  • Threat Risk: High Impact/Low Probability

Threat Overview

Deep Instinct researchers detected suspicious activity in a Southern U.S. infrastructure and construction company, revealing an attempted compromise of an Exchange server by an Iranian APT, PHOSPHORUS. Seven exploitation attempts were made, including installation of a root certificate and blending malicious traffic with legitimate. The attacker used malware to create a new user account, setup RDP access, and establish a reverse proxy to connect to the compromised system. A new evasion technique, involving masking malicious domains within legitimate ones, was also detected. PHOSPHORUS activities can be traced back to June 2020.

Reference and Credit: Deep Instinct - June 2022

Iranian Threat Actor Continues to Develop Mass Exploitation Tools

Detected Targets

TypeDescriptionConfidence
SectorConstruction
Verified
RegionUnited States
Verified

Extracted IOCs

  • activate-time-microsoft[.]cf
  • aptmirror[.]eu
  • microsoft-updateserver[.]cf
  • msupdate[.]us
  • newdesk[.]top
  • onedriver-srv[.]ml
  • symantecserver[.]co
  • tcp443[.]org
  • kcp53.msupdate[.]us
  • kcp53.tcp443[.]org
  • tcp443.msupdate[.]us
  • tcp443.tcp443[.]org
  • 061a78f6f211e5c903bca514de9a6d9eb69560e5e750030ce74afec75c1fc95b
  • 104a5ef1b1f52fe3633ce88190a1a2b2df79437cabe31b21c540cecf43c94951
  • 12c6da07da24edba13650cd324b2ad04d0a0526bb4e853dee03c094075ff6d1a
  • 137a0cc0b96c892a67c634aef128b7a97e5ce443d572d3631e8fa43d772144c4
  • 1604e69d17c0f26182a3e3ff65694a49450aafd56a7e8b21697a932409dfd81e
  • 17e95ecc7fedcf03c4a5e97317cfac166b337288562db0095ccd24243a93592f
  • 21b1c01322925823c1e2d8f4f2a1d12dafa2ef4b9e37d6e56d0724366d96d714
  • 27cb14b58f35a4e3e13903d3237c28bb386d5a56fea88cda16ce01cbf0e5ad8e
  • 29486c9dc095874e8e04ac4b8c33a14ae7ad0a9e395f36b3fb71bce4e1f76758
  • 2bc46b0362fa7f8f658ce472958a70385b772ab9361625edc0a730211629a3c4
  • 3c5d586620d1aec4ee37833b2fa340fc04ed9fdf6c80550a801704944a4ebe57
  • 3e36b7a7fc8f742489ddcbe90195774b1ebf62eecc99c77152bf3a85bcb48d74
  • 400743690cf1addd5c64c514b8befa981fb60881fa56737a09da747f674fb36b
  • 4066c680ff5c4c4c537c03cf962679a3f71700d4138acd6967f40f72045b1b23
  • 5a383edfc3c71d55773df40c71473bd949eddc6828ed7e78977b87e1854ea90a
  • 6a62aa730bac97951c313880e4c6229c17fc4c393d97230f63c8be4bb7f84164
  • 6fde690b06de85a399df02b89b87f0b808fde83c753cda4d11affded4dca46d7
  • 724d54971c0bba8ff32aeb6044d3b3fd571b13a4c19cada015ea4bcab30cae26
  • 736b61b9c6bc2da2a8bb8d8f134c682f071ea90d50c42fc0b86ebf1c592c9332
  • 7b5fbbd90eab5bee6f3c25aa3c2762104e219f96501ad6a4463e25e6001eb00b
  • 8aa3530540ba023fb29550643beb00c9c29f81780056e02c5a0d02a1797b9cd9
  • a03e832aa245e3f549542f61e0e351c2cb4886feb77c02bf09bc8781944741f5
  • a4c908859d78973a94581ea010b10b9a83d25cbafe0c0704dc67ff43c05f0040
  • adb2b4ee5c7002bc64ecb1a87f0e7d728eddfda1dd550021c458f1aedcbc31f9
  • b04b97e7431925097b3ca4841b8941397b0b88796da512986327ff66426544ca
  • b06c9d01cd4b89baa595f48736e6e31f2559381f1487f16304dde98ebd5e9d90
  • b8a472f219658a28556bab4d6d109fdf3433b5233a765084c70214c973becbbd
  • bdf347ce89860bdde9e0b4eba3673fbcb0c5a521e4887b620106dc73650358da
  • c36556977959f682e564b63ee8f0f33f70ab365bc85c043034242d2f6dbac219
  • c51fe5073bd493c7e8d83365aace3f9911437a0f2ae80042ba01ea46b55d2624
  • d5b85892479f79ed622e8e0f67b3f0e30f0dd3d92bc0bc401695d3a0b3cd92ad
  • d9a75fe86b231190234df9aba52efcffd40fead59bb4b06276a850f4760913bf
  • e3eac25c3beb77ffed609c53b447a81ec8a0e20fb94a6442a51d72ca9e6f7cd2
  • f97c3ef344f5fd695b68e8f2f326f90fe02d00e4bb6bbc72d0bbe51588c35874
  • 107[.]173.231.114
  • 148[.]251.71.182
  • 172[.]245.26.118
  • 198[.]144.189.74
  • 94[.]182.164.92
download

Tip: 51 related IOCs (5 IP, 12 domain, 0 URL, 0 email, 34 file hash) to this threat have been found.

Overlaps

Ballistic BobcatBallistic Bobcat Exploits Microsoft Exchange Vulnerabilities to Compromise 34 Organizations

Source: ESET - September 2023

Detection (one case): 198[.]144.189.74

APT35APT35's Exploitation of Microsoft Exchange: Targeting Europe, Middle East, and North America

Source: AttackIQ - August 2023

Detection (six cases): 107[.]173.231.114, 148[.]251.71.182, 1604e69d17c0f26182a3e3ff65694a49450aafd56a7e8b21697a932409dfd81e, 7b5fbbd90eab5bee6f3c25aa3c2762104e219f96501ad6a4463e25e6001eb00b, kcp53.msupdate[.]us, tcp443.msupdate[.]us

Cobalt MirageUnveiling the Actors behind COBALT MIRAGE: A Ransomware Incident Analysis

Source: Secureworks - September 2022

Detection (four cases): 148[.]251.71.182, 172[.]245.26.118, newdesk[.]top, symantecserver[.]co

UnknownIranian Cyber Actors Target Western Nations in Ransom and Extortion Campaigns

Source: CISA - September 2022

Detection (17 cases): 107[.]173.231.114, 148[.]251.71.182, 172[.]245.26.118, 198[.]144.189.74, 12c6da07da24edba13650cd324b2ad04d0a0526bb4e853dee03c094075ff6d1a, 1604e69d17c0f26182a3e3ff65694a49450aafd56a7e8b21697a932409dfd81e, 17e95ecc7fedcf03c4a5e97317cfac166b337288562db0095ccd24243a93592f, 724d54971c0bba8ff32aeb6044d3b3fd571b13a4c19cada015ea4bcab30cae26, 7b5fbbd90eab5bee6f3c25aa3c2762104e219f96501ad6a4463e25e6001eb00b, 8aa3530540ba023fb29550643beb00c9c29f81780056e02c5a0d02a1797b9cd9, b04b97e7431925097b3ca4841b8941397b0b88796da512986327ff66426544ca, b8a472f219658a28556bab4d6d109fdf3433b5233a765084c70214c973becbbd, aptmirror[.]eu, msupdate[.]us, newdesk[.]top, symantecserver[.]co, tcp443[.]org

Cobalt MirageCOBALT MIRAGE's Exploits: Targeting Israeli and Western Organizations

Source: Secureworks - May 2022

Detection (nine cases): 107[.]173.231.114, 724d54971c0bba8ff32aeb6044d3b3fd571b13a4c19cada015ea4bcab30cae26, aptmirror[.]eu, microsoft-updateserver[.]cf, msupdate[.]us, newdesk[.]top, onedriver-srv[.]ml, symantecserver[.]co, tcp443[.]org

TunnelVisionTunnelVision Threat Actor Exploits Log4Shell Vulnerability in VMware Horizon Servers

Source: eSentire - March 2022

Detection (one case): microsoft-updateserver[.]cf

PhosphorusPowerLess Backdoor: Analyzing the Phosphorus Group's Cyber Espionage Tool

Source: Cybereason - February 2022

Detection (two cases): 148[.]251.71.182, a4c908859d78973a94581ea010b10b9a83d25cbafe0c0704dc67ff43c05f0040

APT35CharmPower: APT35's Modular Toolset Exploits Log4j Vulnerability

Source: Check Point - January 2022

Detection (one case): 148[.]251.71.182

UnknownIranian APT Group Exploits Microsoft and Fortinet Vulnerabilities: A Broad Spectrum Cyber Assault

Source: CISA - November 2021

Detection (one case): c51fe5073bd493c7e8d83365aace3f9911437a0f2ae80042ba01ea46b55d2624

PhosphorusIranian-backed PHOSPHORUS Exploits Microsoft Exchange Vulnerabilities for Data Encryption

Source: The DFIR Report - November 2021

Detection (three cases): 148[.]251.71.182, 198[.]144.189.74, e3eac25c3beb77ffed609c53b447a81ec8a0e20fb94a6442a51d72ca9e6f7cd2

PhosphorusAutomated Scripts Used in Microsoft Exchange ProxyShell Attack By PHOSPHORUS

Source: The Dfir Report - March 2021

Detection (six cases): 107[.]173.231.114, 148[.]251.71.182, 1604e69d17c0f26182a3e3ff65694a49450aafd56a7e8b21697a932409dfd81e, 7b5fbbd90eab5bee6f3c25aa3c2762104e219f96501ad6a4463e25e6001eb00b, kcp53.msupdate[.]us, tcp443.msupdate[.]us

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
Mint Sandstorm
View Mint Sandstorm's Insights