Ransomware is increasingly delivered via URLs as threat actors rotate hostnames, paths, and filenames to evade defenses. The report covers how attackers abuse hosting providers and public services, with case studies involving STOP/DJVU, Raccoon Stealer, and Smoke Loader, and highlights the need for defense-in-depth to detect both the binaries and the URLs.
#RaccoonStealer #SmokeLoader #TeslaCrypt #STOPDJVU #superstar75737
#RaccoonStealer #SmokeLoader #TeslaCrypt #STOPDJVU #superstar75737
Keypoints
- URL-based delivery is now the leading ransomware vector, with web browsing delivering the majority of infections in 2022.
- Threat actors rotate URLs, hostnames, and filenames to distribute the same ransomware or multiple variants widely.
- Ransomware is hosted on compromised or publicly abused domains across various TLDs, including ccTLDs like .ru and .cn.
- Public hosting, social media, and sharing services are abused to reach large audiences while evading URL blocks.
- Campaigns show both rotating ransomware files with the same URL and rotating URLs delivering the same ransomware, plus loader components used as initial access.
- Long-lived, highly-visited domains may be compromised benign sites used to slip past defenses; infrastructure often spans geographically distributed locations.
MITRE Techniques
- [T1189] Drive-by Compromise β Ransomware delivery occurs when users browse a site themselves or compromised software accesses it, enabling direct delivery over the web. [βRansomware delivered through URLs when they browse a site themselves, or if malware or other software surreptitiously placed on a compromised system accesses it.β]
- [T1105] Ingress Tool Transfer β A loader is downloaded and used to fetch and load ransomware binaries from remote URLs. [βthe loader with SHA-256 β¦ is delivered through https://privacy-tools-for-you-780[.]com/downloads/toolspab3.exe. During execution, it contacts zerit[.]top/dl/buildz.exe to load ransomware binaries.β]
- [T1583] Acquire Infrastructure β Attackers abuse public hosting, social media and sharing services to host ransomware URLs and infrastructure; links to a threat actor selling access to Raccoon Stealer logs illustrate this use of third-party infrastructure. [βAll of these domains are also related to a threat actor called superstar75737 who sold access to Raccoon Stealer logs on a Russian-speaking cybercrime forum, exploit[.]in, in November 2022.β]
Indicators of Compromise
- [URL] Teslacrypt Campaign URLs β oddsium[.]com/g76dbf, clicktoevent[.]com/g76dbf?lrebib=kvqqhaohs, http://veterinary-surgeons[.]net/g76dbf?grpvldcmq=pnstptslwh, rgyui[.]top/dl/build.exe
- [SHA-256 Hash] Ransomware/loader hashes β 0708d5027c26f96f5bf81b373348346149511a4b9f11391a979159185371bcc5, 4e1f743b60d65732d43e6a8c064016369a2cb6d03e81e04e114ed6a31297a2a7
- [IP Address] Hosting infrastructure locations β 34[.]69[.]12[.]51, 34[.]65[.]61[.]83, and 34[.]106[.]70[.]53
Read more: https://unit42.paloaltonetworks.com/url-delivered-ransomware/#post-129339-_cfw3vjr99swz