Threats Feed|Mint Sandstorm (Phosphorus)|Last Updated 17/01/2024|AuthorCertfa Radar|Publish Date01/06/2022

Stealth in the System: PHOSPHORUS Exploits Exchange Server in Infrastructure Sector Attack

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Vulnerability Exploitation,Downloader,Trojan
  • Attack Complexity: High
  • Threat Risk: High Impact/Low Probability

Threat Overview

Deep Instinct researchers detected suspicious activity in a Southern U.S. infrastructure and construction company, revealing an attempted compromise of an Exchange server by an Iranian APT, PHOSPHORUS. Seven exploitation attempts were made, including installation of a root certificate and blending malicious traffic with legitimate. The attacker used malware to create a new user account, setup RDP access, and establish a reverse proxy to connect to the compromised system. A new evasion technique, involving masking malicious domains within legitimate ones, was also detected. PHOSPHORUS activities can be traced back to June 2020.

Detected Targets

TypeDescriptionConfidence
SectorConstruction
Verified
RegionUnited States
Verified

Extracted IOCs

  • activate-time-microsoft[.]cf
  • aptmirror[.]eu
  • microsoft-updateserver[.]cf
  • msupdate[.]us
  • newdesk[.]top
  • onedriver-srv[.]ml
  • symantecserver[.]co
  • tcp443[.]org
  • kcp53.msupdate[.]us
  • kcp53.tcp443[.]org
  • tcp443.msupdate[.]us
  • tcp443.tcp443[.]org
  • 061a78f6f211e5c903bca514de9a6d9eb69560e5e750030ce74afec75c1fc95b
  • 104a5ef1b1f52fe3633ce88190a1a2b2df79437cabe31b21c540cecf43c94951
  • 12c6da07da24edba13650cd324b2ad04d0a0526bb4e853dee03c094075ff6d1a
  • 137a0cc0b96c892a67c634aef128b7a97e5ce443d572d3631e8fa43d772144c4
  • 1604e69d17c0f26182a3e3ff65694a49450aafd56a7e8b21697a932409dfd81e
  • 17e95ecc7fedcf03c4a5e97317cfac166b337288562db0095ccd24243a93592f
  • 21b1c01322925823c1e2d8f4f2a1d12dafa2ef4b9e37d6e56d0724366d96d714
  • 27cb14b58f35a4e3e13903d3237c28bb386d5a56fea88cda16ce01cbf0e5ad8e
  • 29486c9dc095874e8e04ac4b8c33a14ae7ad0a9e395f36b3fb71bce4e1f76758
  • 2bc46b0362fa7f8f658ce472958a70385b772ab9361625edc0a730211629a3c4
  • 3c5d586620d1aec4ee37833b2fa340fc04ed9fdf6c80550a801704944a4ebe57
  • 3e36b7a7fc8f742489ddcbe90195774b1ebf62eecc99c77152bf3a85bcb48d74
  • 400743690cf1addd5c64c514b8befa981fb60881fa56737a09da747f674fb36b
  • 4066c680ff5c4c4c537c03cf962679a3f71700d4138acd6967f40f72045b1b23
  • 5a383edfc3c71d55773df40c71473bd949eddc6828ed7e78977b87e1854ea90a
  • 6a62aa730bac97951c313880e4c6229c17fc4c393d97230f63c8be4bb7f84164
  • 6fde690b06de85a399df02b89b87f0b808fde83c753cda4d11affded4dca46d7
  • 724d54971c0bba8ff32aeb6044d3b3fd571b13a4c19cada015ea4bcab30cae26
  • 736b61b9c6bc2da2a8bb8d8f134c682f071ea90d50c42fc0b86ebf1c592c9332
  • 7b5fbbd90eab5bee6f3c25aa3c2762104e219f96501ad6a4463e25e6001eb00b
  • 8aa3530540ba023fb29550643beb00c9c29f81780056e02c5a0d02a1797b9cd9
  • a03e832aa245e3f549542f61e0e351c2cb4886feb77c02bf09bc8781944741f5
  • a4c908859d78973a94581ea010b10b9a83d25cbafe0c0704dc67ff43c05f0040
  • adb2b4ee5c7002bc64ecb1a87f0e7d728eddfda1dd550021c458f1aedcbc31f9
  • b04b97e7431925097b3ca4841b8941397b0b88796da512986327ff66426544ca
  • b06c9d01cd4b89baa595f48736e6e31f2559381f1487f16304dde98ebd5e9d90
  • b8a472f219658a28556bab4d6d109fdf3433b5233a765084c70214c973becbbd
  • bdf347ce89860bdde9e0b4eba3673fbcb0c5a521e4887b620106dc73650358da
  • c36556977959f682e564b63ee8f0f33f70ab365bc85c043034242d2f6dbac219
  • c51fe5073bd493c7e8d83365aace3f9911437a0f2ae80042ba01ea46b55d2624
  • d5b85892479f79ed622e8e0f67b3f0e30f0dd3d92bc0bc401695d3a0b3cd92ad
  • d9a75fe86b231190234df9aba52efcffd40fead59bb4b06276a850f4760913bf
  • e3eac25c3beb77ffed609c53b447a81ec8a0e20fb94a6442a51d72ca9e6f7cd2
  • f97c3ef344f5fd695b68e8f2f326f90fe02d00e4bb6bbc72d0bbe51588c35874
  • 107[.]173.231.114
  • 148[.]251.71.182
  • 172[.]245.26.118
  • 198[.]144.189.74
  • 94[.]182.164.92
download

Tip: 51 related IOCs (5 IP, 12 domain, 0 URL, 0 email, 34 file hash) to this threat have been found.

Overlaps

Ballistic BobcatBallistic Bobcat Exploits Microsoft Exchange Vulnerabilities to Compromise 34 Organizations

Source: ESET - September 2023

Detection (one case): 198[.]144.189.74

APT35APT35's Exploitation of Microsoft Exchange: Targeting Europe, Middle East, and North America

Source: AttackIQ - August 2023

Detection (six cases): 107[.]173.231.114, 148[.]251.71.182, 1604e69d17c0f26182a3e3ff65694a49450aafd56a7e8b21697a932409dfd81e, 7b5fbbd90eab5bee6f3c25aa3c2762104e219f96501ad6a4463e25e6001eb00b, kcp53.msupdate[.]us, tcp443.msupdate[.]us

Cobalt MirageUnveiling the Actors behind COBALT MIRAGE: A Ransomware Incident Analysis

Source: Secureworks - September 2022

Detection (four cases): 148[.]251.71.182, 172[.]245.26.118, newdesk[.]top, symantecserver[.]co

UnknownIranian Cyber Actors Target Western Nations in Ransom and Extortion Campaigns

Source: CISA - September 2022

Detection (17 cases): 107[.]173.231.114, 148[.]251.71.182, 172[.]245.26.118, 198[.]144.189.74, 12c6da07da24edba13650cd324b2ad04d0a0526bb4e853dee03c094075ff6d1a, 1604e69d17c0f26182a3e3ff65694a49450aafd56a7e8b21697a932409dfd81e, 17e95ecc7fedcf03c4a5e97317cfac166b337288562db0095ccd24243a93592f, 724d54971c0bba8ff32aeb6044d3b3fd571b13a4c19cada015ea4bcab30cae26, 7b5fbbd90eab5bee6f3c25aa3c2762104e219f96501ad6a4463e25e6001eb00b, 8aa3530540ba023fb29550643beb00c9c29f81780056e02c5a0d02a1797b9cd9, b04b97e7431925097b3ca4841b8941397b0b88796da512986327ff66426544ca, b8a472f219658a28556bab4d6d109fdf3433b5233a765084c70214c973becbbd, aptmirror[.]eu, msupdate[.]us, newdesk[.]top, symantecserver[.]co, tcp443[.]org

Cobalt MirageCOBALT MIRAGE's Exploits: Targeting Israeli and Western Organizations

Source: Secureworks - May 2022

Detection (nine cases): 107[.]173.231.114, 724d54971c0bba8ff32aeb6044d3b3fd571b13a4c19cada015ea4bcab30cae26, aptmirror[.]eu, microsoft-updateserver[.]cf, msupdate[.]us, newdesk[.]top, onedriver-srv[.]ml, symantecserver[.]co, tcp443[.]org

TunnelVisionTunnelVision Threat Actor Exploits Log4Shell Vulnerability in VMware Horizon Servers

Source: eSentire - March 2022

Detection (one case): microsoft-updateserver[.]cf

PhosphorusPowerLess Backdoor: Analyzing the Phosphorus Group's Cyber Espionage Tool

Source: Cybereason - February 2022

Detection (two cases): 148[.]251.71.182, a4c908859d78973a94581ea010b10b9a83d25cbafe0c0704dc67ff43c05f0040

APT35CharmPower: APT35's Modular Toolset Exploits Log4j Vulnerability

Source: Check Point - January 2022

Detection (one case): 148[.]251.71.182

UnknownIranian APT Group Exploits Microsoft and Fortinet Vulnerabilities: A Broad Spectrum Cyber Assault

Source: CISA - November 2021

Detection (one case): c51fe5073bd493c7e8d83365aace3f9911437a0f2ae80042ba01ea46b55d2624

PhosphorusIranian-backed PHOSPHORUS Exploits Microsoft Exchange Vulnerabilities for Data Encryption

Source: The DFIR Report - November 2021

Detection (three cases): 148[.]251.71.182, 198[.]144.189.74, e3eac25c3beb77ffed609c53b447a81ec8a0e20fb94a6442a51d72ca9e6f7cd2

PhosphorusAutomated Scripts Used in Microsoft Exchange ProxyShell Attack By PHOSPHORUS

Source: The Dfir Report - March 2021

Detection (six cases): 107[.]173.231.114, 148[.]251.71.182, 1604e69d17c0f26182a3e3ff65694a49450aafd56a7e8b21697a932409dfd81e, 7b5fbbd90eab5bee6f3c25aa3c2762104e219f96501ad6a4463e25e6001eb00b, kcp53.msupdate[.]us, tcp443.msupdate[.]us

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.