Two sentences summarizing the content: GlobeImposter has spanned multiple campaigns and rebrands, with the TZW ransomware identified as a new variant that shares infrastructure and techniques with GlobeImposter. The findings show shared onion-based victim portals and similar ransom notes, highlighting ongoing threats from the same group. #GlobeImposter #TZW
Keypoints
- GlobeImposter and TZW are linked as rebranded variants from the same threat actor, sharing infrastructure and onion-based portals.
- Delivery remains phishing-based with attachments/links leading to 7zip/JS payloads.
- Evidence shows shared infrastructure including two onion domains and misconfigured Apache status page exposing active vhosts.
- GlobeImposter can delete volume shadow copies and uses CRYPTO LOCKER markers in encrypted files to hinder recovery.
- New TZW variants show minor differences in file metadata but largely align with GlobeImposter payloads and setup.
- Threat actors use TOR-based victim portals and a common payload family across GlobeImposter/TZW campaigns; SentinelOne provides protection guidance.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – GlobeImposter is most often delivered via phishing email as an attachment or a link to a malicious attachment. – “GlobeImposter is most often delivered via phishing email as an attachment or a link to a malicious attachment.”
- [T1566.002] Phishing: Spearphishing Link – GlobeImposter is most often delivered via phishing email as an attachment or a link to a malicious attachment. – “GlobeImposter is most often delivered via phishing email as an attachment or a link to a malicious attachment.”
- [T1027.002] Obfuscated Files or Information: Software Packing – obfuscated their payloads and obfuscating their infrastructure in a manner consistent with a rebrand effort. – “obfuscated their payloads and obfuscating their infrastructure in a manner consistent with a rebrand effort.”
- [T1486] Data Encrypted for Impact – encryption of victim files, evidenced by markers in encrypted data. – “the ‘CRYPTO LOCKER’ string appended to the tail of the encrypted files.”
- [T1070.004] Indicator Removal: File Deletion – GlobeImposter has the ability to delete volume shadow copies, thereby inhibiting the recovery of data. – “GlobeImposter has the ability to delete volume shadow copies, thereby inhibiting the recovery of data.”
- [T1083] File and Directory Discovery – Apache status page reveals active vhosts, indicating discovery of server resources. – “This Apache status screen is visible as a result of a misconfiguration on the Apache server, allowing us to see all the active vhosts (virtual hosts) present there.”
- [T1490] Inhibit System Recovery – Shadow copy deletion hinders recovery. – “GlobeImposter has the ability to delete volume shadow copies, thereby inhibiting the recovery of data.”
Indicators of Compromise
- [SHA1] Context – sample hashes for GlobeImposter/TZW variants – 4585da0ff7a763be1a46d78134624f7cd13e6940, 14be1c43fbfb325858cda78a126528f82cf77ad2, and 8 more hashes
- [Onion Domains] Context – TOR-based victim portals used by GlobeImposter/TZW – tzw7ckhurmxgcpajx6gy57dkrysl2sigfrt6nk4a3rvedfldigtor7ad.onion, obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion