Threats Feed|Cobalt Mirage|Last Updated 17/01/2024|AuthorCertfa Radar|Publish Date14/09/2022

Unveiling the Actors behind COBALT MIRAGE: A Ransomware Incident Analysis

  • Actor Motivations: Espionage,Financial Gain,Sabotage
  • Attack Vectors: Vulnerability Exploitation,Malware,Ransomware
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

The Secureworks Counter Threat Unit analyzed a ransomware incident involving the Iranian COBALT MIRAGE threat group. The group exploited ProxyShell vulnerabilities, used a customized variant of Fast Reverse Proxy (FRPC) named TunnelFish, and encrypted servers using BitLocker. Despite attempts to erase their digital footprint, several tools and artifacts were recoverable, leading to the identification of associated individuals and entities, including Ahmad Khatibi, CEO of Afkar System Co., and Mansour Ahmadi, CEO of Najee Technology.

Extracted IOCs

  • gupdate[.]us
  • lifeweb[.]ir
  • misaq[.]me
  • mssync[.]one
  • msupdate[.]top
  • najee[.]ir
  • newdesk[.]top
  • secnerd[.]ir
  • symantecserver[.]co
  • upmirror[.]top
  • uk7.updates[.]icu
  • buysafety@onionmail[.]org
  • unkn19wn@gmail[.]com
  • 00e4c488558492b80fd27d51b159a099
  • f38f3a1cda90229434e8ab8c59342838106b9778
  • 69314c1969f28bfab34683769286326e25d9a0f07c4bad3443d08efe4f43e0a8
  • 104[.]168.117.149
  • 148[.]251.71.182
  • 172[.]245.26.118
  • 185[.]208.77.164
  • 193[.]142.59.174

Tip: 21 related IOCs (5 IP, 11 domain, 0 URL, 2 email, 3 file hash) to this threat have been found.


APT35APT35's Exploitation of Microsoft Exchange: Targeting Europe, Middle East, and North America

Source: AttackIQ - August 2023

Detection (one case): 148[.]251.71.182

UnknownIranian Cyber Actors Target Western Nations in Ransom and Extortion Campaigns

Source: CISA - September 2022

Detection (10 cases): 104[.]168.117.149, 148[.]251.71.182, 172[.]245.26.118, buysafety@onionmail[.]org, gupdate[.]us, mssync[.]one, msupdate[.]top, newdesk[.]top, symantecserver[.]co, upmirror[.]top

DEV-0270DEV-0270's Cyber Offensive: A Profiling of Their Ransomware Operations

Source: Microsoft - September 2022

Detection (two cases): lifeweb[.]ir, secnerd[.]ir

PhosphorusStealth in the System: PHOSPHORUS Exploits Exchange Server in Infrastructure Sector Attack

Source: Deep Instinct - June 2022

Detection (four cases): 148[.]251.71.182, 172[.]245.26.118, newdesk[.]top, symantecserver[.]co

Cobalt MirageCOBALT MIRAGE's Exploits: Targeting Israeli and Western Organizations

Source: Secureworks - May 2022

Detection (three cases): gupdate[.]us, newdesk[.]top, symantecserver[.]co

PhosphorusPowerLess Backdoor: Analyzing the Phosphorus Group's Cyber Espionage Tool

Source: Cybereason - February 2022

Detection (one case): 148[.]251.71.182

APT35CharmPower: APT35's Modular Toolset Exploits Log4j Vulnerability

Source: Check Point - January 2022

Detection (one case): 148[.]251.71.182

PhosphorusIranian-backed PHOSPHORUS Exploits Microsoft Exchange Vulnerabilities for Data Encryption

Source: The DFIR Report - November 2021

Detection (one case): 148[.]251.71.182

PhosphorusAutomated Scripts Used in Microsoft Exchange ProxyShell Attack By PHOSPHORUS

Source: The Dfir Report - March 2021

Detection (one case): 148[.]251.71.182

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.