Opsec Mistakes Reveal COBALT MIRAGE Threat Actors

The threat actors attempted to remove traces of their activities, deleting web shells, tools, and audit logs.
However, several tools and artifacts were recoverable.
The TunnelFish sample was configured to communicate with two command and control (C2) domains: gupdate[.]us and msupdate[.]top.
While investigating these domains, CTU researchers discovered additional infrastructure linked to COBALT MIRAGE: mssync[.]one, upmirror[.]top, 104[.]168.117.149, 172[.]245.26.118, and 193[.]142.59.174.
CTU researchers also discovered copies of a ransom note in the victim’s environment that referenced a Telegram account (@BuySafety) and email address (buysafety @ onionmail.org) observed in prior intrusions.

COBALT MIRAGE usually leaves a ransom note in the form of a .txt text file.
However, in this case the threat actors copied a PDF file containing the ransom text (Hi.pdf) into the victim’s environment.
Based on evidence from recovered log files, it appears multiple copies of the PDF file were created alongside multiple .txt files with the same content.
While other copies of the PDF were deleted, a copy remained in the threat actor’s staging directory.
This oversight resulted in the disclosure of information that could reveal the identity of an individual engaged in COBALT MIRAGE activity.
The metadata of the Hi.pdf ransom note indicates that the document was created by “ahmad khatibi” in a UTC +3.30 time zone.
This time zone corresponds to Iran Standard Time (IRST).
The timestamp appears to be authentic.

A LinkedIn profile lists Ahmad Khatibi as the CEO of Afkar System Co., a company based in Iran.
In June 2022, anti-Iranian regime whistleblower persona Lab_Dookhtegan posted a series of tweets about Ahmad Khatibi and Afkar System, stating they are operating on behalf of Intelligence Organization of Sepah (see Figure 2).
Sepah is a reference to the Islamic Revolutionary Guard Corp (IRGC), and the Intelligence Organization (IRGC-IO) is a subordinate unit.
The IRGC-IO is one of Iran’s primary intelligence functions and reportedly operates a cyber division.

Sign Up For Threat Alerts

Loading...
Threats Icon

Sep 21, 2022

Magic Rat

Cisco Talos has discovered a new remote access trojan (RAT), which analysts are calling "MagicRAT,"...

Threats Icon

Sep 21, 2022

Malicious Word Document with a Frameset

Xavier Mertens spotted a malicious Word OOXML document (with the new ".docx" format) that is...

Threats Icon

Sep 18, 2022

US Cert Alert – Iranian Islamic Revolutionary...

The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple...

Threats Icon

Sep 14, 2022

Dead or Alive – An Emotet Story

The DFIR Report observed a domain-wide compromise that started from a malware ridden Excel document...

Threats Icon

Sep 13, 2022

Dead or Alive? An Emotet Story

The DFIR Report observed a domain-wide compromise that started from a malware ridden Excel document...

Threats Icon

Sep 12, 2022

Shikitega – New stealthy malware targeting Linux

AT&T Alien Labs has discovered a new malware targeting endpoints and IoT devices that are...

Threats Icon

Sep 08, 2022

APT42: Crooked Charms, Cons and Compromises

Mandiant assesses with high confidence that APT42 is an Iranian state-sponsored cyber espionage group tasked...

Threats Icon

Sep 07, 2022

US Cert Alert – Vice Society

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the...

Threats Icon

Sep 07, 2022

Worok – The big picture

ESET researchers recently found targeted attacks that used undocumented tools against various high-profile companies and...

Threats Icon

Sep 07, 2022

MuddyWater Targets Israel With Log4j Vulnerabilities In...

In recent weeks, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team...

Threats Icon

Sep 05, 2022

No Honor Among Thieves – Prynt Stealer’s...

Stealing information is fundamental to cybercriminals today to scope and gain access to systems, profile...

Threats Icon

Sep 05, 2022

Grandoreiro Banking Trojan with New TTPs Targeting...

Recently Zscaler ThreatLabz observed a Grandoreiro campaign targeting organizations in the Spanish-speaking nations of Mexico...

Threats Icon

Sep 01, 2022

A Tale of PivNoxy and Chinoxy Puppeteer

An attack against a telecommunications agency in South Asia began with a simple email that...

Threats Icon

Aug 31, 2022

New Golang Ransomware Agenda Customizes Attacks

Investigation revealed that the new ransomware in question targeted enterprises in Asia and Africa. Based...

Threats Icon

Aug 31, 2022

ModernLoader delivers multiple stealers cryptominers and RATs

Cisco Talos recently observed three separate, but related, campaigns between March and June 2022 delivering...