Team Cymru tracks ongoing Iranian-linked activity by the PHOSPHORUS group, with a focus on a long-running C2 server at 107.173.231.114 and related infrastructure. The activity includes exploiting unpatched Exchange servers (Log4J and ProxyShell) and using IP- and DNS-based C2 channels, aided by domain registrations that bolster their operations. #PHOSPHORUS #Log4J #ProxyShell #Kaspersky #Porkbun #NameSilo
Keypoints
- PHOSPHORUS is an Iranian threat group targeting energy, government, and technology sectors across Europe, the Middle East, the United States, and other regions.
- 107.173.231.114 has been a persistent C2 server tied to PHOSPHORUS activities and is hosted by ColoCrossing, US.
- Passive DNS links 107.173.231.114 to multiple similarly structured domains, illustrating a shared domain cluster used for command and control.
- Domains aptmirror.eu, msupdate.us, and newdesk.top were re-registered from Porkbun to NameSilo between 30 June and 06 July 2022, indicating infrastructure changes.
- A Cybersecurity Advisory AA22-257A (Sept 14, 2022) highlighted these domains and 107.173.231.114 in its IOC section.
- Victim communications occurred over TCP/443 and UDP/53 to 107.173.231.114, with indications of an outdated/unpatched Microsoft Exchange deployment on the victim.
MITRE Techniques
- [T1190] Exploit Public-Facing Application β PHOSPHORUS used opportunistic exploitation of unpatched systems leveraging Log4J and ProxyShell. βPHOSPHORUS TTPs have included the likely opportunistic targeting of unpatched vulnerable systems, leveraging common exploits such as Log4J and ProxyShell.β
- [T1071.004] DNS β C2 and masking activities observed via DNS-related communication, including domains associated with Kaspersky and API queries. βConnections to domains such as kcp53.kaspersky.com and tcp443.kaspersky.com are potentially a means of masking malicious communications β¦β and βPast activity observed resolving api.myip.com.β
- [T1583.001] Acquire Infrastructure β Domain registrations linked to the operation shifted between registrars (Porkbun to NameSilo) for PHOSPHORUS infrastructure: βaptmirror.eu, msupdate.us, and newdesk.top were re-registered with NameSilo. The domains were previously registered with Porkbun.β
- [T1036] Masquerading β Use of legitimate-looking domains (Kaspersky domains) to disguise C2 traffic: βthe malware would seek to communicate with legitimate Kaspersky domains.β
Indicators of Compromise
- [IP Address] 107.173.231.114 β long-term C2 server associated with PHOSPHORUS; hosted at ColoCrossing, US
- [Domain] aptmirror.eu β domain used in PHOSPHORUS infrastructure
- [Domain] msupdate.us β domain used in PHOSPHORUS infrastructure
- [Domain] newdesk.top β domain used in PHOSPHORUS infrastructure
- [Domain] kcp53.kaspersky.com β domain used to mask C2 communications
- [Domain] tcp443.kaspersky.com β domain used to mask C2 communications
- [Domain] api.myip.com β domain observed in related C2/DNS activity
Read more: https://www.team-cymru.com/post/iranian-exploitation-activities-continue-as-of-november-2022