TA4922 is a highly sophisticated cybercriminal group that rapidly shifted between Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT (Winos4.0) while expanding campaigns from nearby regions into parts of Europe and Africa. Proofpoint and subsequent investigation uncovered multiple related network indicators, victim communications, and infrastructure artifacts tied to malicious domains, subdomains, and IP addresses. #TA4922 #AtlasRAT #RomulusLoader #SilentRunLoader #ValleyRAT #Winos4.0 #Proofpoint #nwphotoblogcom #wsztts88cyou
Keypoints
- TA4922 rapidly changed tactics and malware across campaigns, using Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT (Winos4.0).
- The group primarily launched local attacks but expanded operations into more countries in Europe and Africa.
- Proofpoint identified seven network IoCs, including five IP addresses, one domain, and one subdomain.
- Researchers expanded the set to eight IoCs after extracting a unique domain from the subdomain indicator.
- Analysis uncovered 36 unique victim IP addresses communicating with two of the tracked IPs, along with thousands of email-connected domains.
- One subdomain, ws[.]ztts88[.]cyou, was assessed as likely malicious infrastructure, possibly a C2 endpoint.
- Historical lookups showed strong infrastructure overlap, including domain-to-IP and IP-to-domain resolution patterns linked to the campaign.
MITRE Techniques
- [T1071.001 ] Web Protocols – The infrastructure likely used web-based communication for command-and-control, as the subdomain was assessed as a likely C2 endpoint (‘likely a C&C endpoint malware use’).
- [T1583.001 ] Acquire Infrastructure: Domains – The threat group relied on malicious domains and a subdomain as part of its operational infrastructure (‘seven network IoCs made up of five IP addresses, a domain, and a subdomain’).
- [T1583.006 ] Acquire Infrastructure: Web Services – The campaign used internet-facing hosted infrastructure that was queried through WHOIS and DNS history analysis (‘the domain IoCs on WHOIS API’ and ‘DNS Chronicle API’).
- [T1049 ] System Network Connections Discovery – Researchers observed victim systems communicating with the threat infrastructure, indicating active network connections (’36 unique IP addresses likely owned by victims that communicated with two of the IP IoCs’).
- [T1568.002 ] Dynamic Resolution: Domain Generation Algorithms – The investigation focused on changing domain-to-IP relationships and multiple historical resolutions, consistent with dynamic infrastructure patterns (‘recorded 268 resolutions’ and ‘historical domain-to-IP resolutions’).
Indicators of Compromise
- [Domain/Subdomain] malicious infrastructure and suspected C2 – ws[.]ztts88[.]cyou, nwphotoblog[.]com
- [IP Address] tracked network infrastructure and victim communications – 18[.]139[.]83[.]110, and 4 other IP addresses
- [IP Address] additional malicious IP identified in analysis – one confirmed malicious IP address
- [IP Address] victim-related network activity – 36 unique victim IP addresses
- [Domain] email-connected infrastructure discovered via reverse WHOIS – 2,779 unique email-connected domains, and 39 confirmed malicious domains
- [Domain] IP-connected domain set found during investigation – 37 IP-connected domains, and 18 confirmed malicious domains
Read more: https://circleid.com/posts/dns-investigation-threat-actor-ta4922-goes-global