Threat Research

Opsec Mistakes Reveal COBALT MIRAGE Threat Actors

Securonix

Secureworks CTU analyzed a June 2022 ransomware incident involving the Iranian COBALT MIRAGE group, highlighting continued use of known TTPs. The operation deployed ProxyShell exploits, web shells, and TunnelFish, encrypted servers with BitLocker, and left traces that reveal attribution patterns and ties to Iranian entities. #COBALT_MIRAGE #TunnelFish #ProxyShell #IRGC_IO #NajeeTechnology #Secnerd #AfkarSystem #AhmadKhatibi

Keypoints

  • COBALT MIRAGE exploited the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) in a June 2022 incident, indicating opportunistic rather than highly targeted access.
  • The attackers deployed multiple web shells and TunnelFish (a customized FRPC variant) and enabled the DefaultAccount with a commonly used password (P@ssw0rd1234), followed by BitLocker encryption on several servers.
  • They attempted to erase traces by deleting web shells, tools, and audit logs, but several artifacts remained recoverable, including C2 domains and related infrastructure.
  • TunnelFishC2 domains observed: gupdate.us and msupdate.top; additional infrastructure included mssync.one, upmirror.top, and several related IPs.
  • Ransom notes appeared both as text and as a PDF (Hi.pdf) with metadata pointing to Ahmad Khatibi and Iran Standard Time, suggesting a personal attribution clue rather than perfect anonymity.
  • CTU links COBALT MIRAGE to Iranian entities Najee Technology, Secnerd, and Afkar System, and discusses potential IRGC-IO connections, while noting attribution remains uncertain.
  • Despite earlier disclosures, ProxyShell remains exploitable, reinforcing CTU’s advice to patch internet-facing systems and tighten controls to mitigate exposure.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Exploited the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207). ‘…exploited the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207)…’
  • [T1136] Create Account – Enabled the DefaultAccount with a password commonly used by COBALT MIRAGE (P@ssw0rd1234). ‘…enabled the DefaultAccount with a password commonly used by COBALT MIRAGE (P@ssw0rd1234) and encrypted several servers using BitLocker.’
  • [T1505.003] Web Shell – Deployed multiple web shells and TunnelFish, a customized variant of Fast Reverse Proxy (FRPC). ‘…deployed multiple web shells and TunnelFish, a customized variant of Fast Reverse Proxy (FRPC).’
  • [T1071.001] Web Protocols – The TunnelFish sample was configured to communicate with two command and control (C2) domains: gupdate . us and msupdate . top. ‘The TunnelFish sample was configured to communicate with two command and control (C2) domains: gupdate . us and msupdate . top.’
  • [T1070] Indicator Removal on Host – Attempted to remove traces of their activities, deleting web shells, tools, and audit logs. ‘…attempted to remove traces of their activities, deleting web shells, tools, and audit logs.’
  • [T1486] Data Encrypted for Impact – Encrypted several servers using BitLocker. ‘…encrypted several servers using BitLocker.’

Indicators of Compromise

  • [Domain name] TunnelFish C2 servers used by COBALT MIRAGE – gupdate.us, msupdate.top, and 2 more domains
  • [IP address] Hosting TunnelFish domains used by COBALT MIRAGE – 193.142.59.174, 104.168.117.149
  • [SHA-256 hash] TunnelFish malware used by COBALT MIRAGE – 69314c1969f28bfab34683769286326e25d9a0f07c4bad3443d08efe4f43e0a8
  • [SHA-1 hash] TunnelFish malware used by COBALT MIRAGE – f38f3a1cda90229434e8ab8c59342838106b9778

Read more: https://www.secureworks.com/blog/opsec-mistakes-reveal-cobalt-mirage-threat-actors