Threats Feed|Mint Sandstorm (Phosphorus)|Last Updated 15/08/2023|AuthorCertfa Radar|Publish Date21/03/2021

Automated Scripts Used in Microsoft Exchange ProxyShell Attack By PHOSPHORUS

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Code injection,Vulnerability Exploitation,Ransomware
  • Attack Complexity: Very High
  • Threat Risk: High Impact/High Probability

Threat Overview

In December 2021, PHOSPHORUS exploited the Microsoft Exchange ProxyShell vulnerabilities, using web shells to gain initial access and execute code. The attack closely resembled their previous attacks and due to previous reports and OSINT research, DFIR believes with medium to high confidence that this intrusion would have ended in ransomware. The attackers established persistence through scheduled tasks and a newly created account, and after enumerating the environment, disabled LSA protection and dumped LSASS process memory. The entire attack was likely scripted out, as evidenced by the user agent strings and the similarity between commands.

Extracted IOCs

  • kcp53.msupdate[.]us
  • tcp443.msupdate[.]us
  • 1a5ad24a6880eea807078375d6461f58
  • 5f098b55f94f5a448ca28904a57c0e58
  • 9a3703f9c532ae2ec3025840fa449d4e
  • b2fde6dc7bd1e04ce601f57805de415b
  • cacb64bdf648444e66c82f5ce61caf4b
  • d2f4647a3749d30a35d5a8faff41765e
  • f0be699c8aafc41b25a8fc0974cc4582
  • 0f676bc786db3c44cac4d2d22070fb514b4cb64c
  • 27102b416ef5df186bd8b35190c2a4cc4e2fbf37
  • 3a6431169073d61748829c31a9da29123dd61da8
  • 4d243969b54b9b80c1d26e0801a6e7e46d2ef03e
  • 6bae2d45bbd8c4b0a59ba08892692fe86e596154
  • 8ece87086e8b5aba0d1cc4ec3804bf74e0b45bee
  • da2470c3990ea0862a79149c6036388498da83cd
  • 1604e69d17c0f26182a3e3ff65694a49450aafd56a7e8b21697a932409dfd81e
  • 559d4abe3a6f6c93fc9eae24672a49781af140c43d491a757c8e975507b4032e
  • 668ec78916bab79e707dc99fdecfa10f3c87ee36d4dee6e3502d1f5663a428a0
  • 7b5fbbd90eab5bee6f3c25aa3c2762104e219f96501ad6a4463e25e6001eb00b
  • 84f77fc4281ebf94ab4897a48aa5dd7092cc0b7c78235965637eeef0908fb6c7
  • c5aae30675cc1fd83fd25330cec245af744b878a8f86626d98b8e7fcd3e970f8
  • 107[.]173.231.114
  • 148[.]251.71.182
download

Tip: 24 related IOCs (2 IP, 2 domain, 0 URL, 0 email, 20 file hash) to this threat have been found.

Overlaps

APT35APT35's Exploitation of Microsoft Exchange: Targeting Europe, Middle East, and North America

Source: AttackIQ - August 2023

Detection (24 cases): 107[.]173.231.114, 148[.]251.71.182, 0f676bc786db3c44cac4d2d22070fb514b4cb64c, 1604e69d17c0f26182a3e3ff65694a49450aafd56a7e8b21697a932409dfd81e, 1a5ad24a6880eea807078375d6461f58, 27102b416ef5df186bd8b35190c2a4cc4e2fbf37, 3a6431169073d61748829c31a9da29123dd61da8, 4d243969b54b9b80c1d26e0801a6e7e46d2ef03e, 559d4abe3a6f6c93fc9eae24672a49781af140c43d491a757c8e975507b4032e, 5f098b55f94f5a448ca28904a57c0e58, 668ec78916bab79e707dc99fdecfa10f3c87ee36d4dee6e3502d1f5663a428a0, 6bae2d45bbd8c4b0a59ba08892692fe86e596154, 7b5fbbd90eab5bee6f3c25aa3c2762104e219f96501ad6a4463e25e6001eb00b, 84f77fc4281ebf94ab4897a48aa5dd7092cc0b7c78235965637eeef0908fb6c7, 8ece87086e8b5aba0d1cc4ec3804bf74e0b45bee, 9a3703f9c532ae2ec3025840fa449d4e, b2fde6dc7bd1e04ce601f57805de415b, c5aae30675cc1fd83fd25330cec245af744b878a8f86626d98b8e7fcd3e970f8, cacb64bdf648444e66c82f5ce61caf4b, d2f4647a3749d30a35d5a8faff41765e, da2470c3990ea0862a79149c6036388498da83cd, f0be699c8aafc41b25a8fc0974cc4582, kcp53.msupdate[.]us, tcp443.msupdate[.]us

Cobalt MirageUnveiling the Actors behind COBALT MIRAGE: A Ransomware Incident Analysis

Source: Secureworks - September 2022

Detection (one case): 148[.]251.71.182

UnknownIranian Cyber Actors Target Western Nations in Ransom and Extortion Campaigns

Source: CISA - September 2022

Detection (16 cases): 107[.]173.231.114, 148[.]251.71.182, 0f676bc786db3c44cac4d2d22070fb514b4cb64c, 1604e69d17c0f26182a3e3ff65694a49450aafd56a7e8b21697a932409dfd81e, 27102b416ef5df186bd8b35190c2a4cc4e2fbf37, 3a6431169073d61748829c31a9da29123dd61da8, 559d4abe3a6f6c93fc9eae24672a49781af140c43d491a757c8e975507b4032e, 5f098b55f94f5a448ca28904a57c0e58, 668ec78916bab79e707dc99fdecfa10f3c87ee36d4dee6e3502d1f5663a428a0, 6bae2d45bbd8c4b0a59ba08892692fe86e596154, 7b5fbbd90eab5bee6f3c25aa3c2762104e219f96501ad6a4463e25e6001eb00b, 8ece87086e8b5aba0d1cc4ec3804bf74e0b45bee, 9a3703f9c532ae2ec3025840fa449d4e, cacb64bdf648444e66c82f5ce61caf4b, d2f4647a3749d30a35d5a8faff41765e, f0be699c8aafc41b25a8fc0974cc4582

PhosphorusStealth in the System: PHOSPHORUS Exploits Exchange Server in Infrastructure Sector Attack

Source: Deep Instinct - June 2022

Detection (six cases): 107[.]173.231.114, 148[.]251.71.182, 1604e69d17c0f26182a3e3ff65694a49450aafd56a7e8b21697a932409dfd81e, 7b5fbbd90eab5bee6f3c25aa3c2762104e219f96501ad6a4463e25e6001eb00b, kcp53.msupdate[.]us, tcp443.msupdate[.]us

Cobalt MirageCOBALT MIRAGE's Exploits: Targeting Israeli and Western Organizations

Source: Secureworks - May 2022

Detection (four cases): 107[.]173.231.114, 27102b416ef5df186bd8b35190c2a4cc4e2fbf37, 5f098b55f94f5a448ca28904a57c0e58, 668ec78916bab79e707dc99fdecfa10f3c87ee36d4dee6e3502d1f5663a428a0

PhosphorusPowerLess Backdoor: Analyzing the Phosphorus Group's Cyber Espionage Tool

Source: Cybereason - February 2022

Detection (one case): 148[.]251.71.182

APT35CharmPower: APT35's Modular Toolset Exploits Log4j Vulnerability

Source: Check Point - January 2022

Detection (one case): 148[.]251.71.182

PhosphorusIranian-backed PHOSPHORUS Exploits Microsoft Exchange Vulnerabilities for Data Encryption

Source: The DFIR Report - November 2021

Detection (one case): 148[.]251.71.182

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.