Wizard Spider continues to confound
Authored by: Matt Stafford
Google’s Threat Analysis Group (TAG) published a report on 24 Mar 2022 titled, Countering threats from North Korea. In this report, TAG details the operations of North Korean state-backed threat actors engaged in active exploitation of a RCE vulnerability in Google Chrome. TAG lists several domains they assess are owned by the threat actors, one of which is “disneycareers[.]net”. This domain immediately caught PACT’s attention, as it was one of the anomalous findings we documented in our initial report on 15 Mar 2022 titled “What Wicked Webs We Un-Weave”. To quickly summarize: PACT identified this (apparently unrelated) domain hosted on dedicated infrastructure that was primarily being used to host extensive Naver-themed phishing activity. Two weeks ago (see update to the original blog on 18 Mar 2022), Google TAG published their assessment that an Initial Access Broker (IAB) with ties to the Conti ransomware gang was using this infrastructure as well. Prior to that, RiskIQ and Microsoft had identified at least three distinct clusters of activity (WIZARD SPIDER, zero-day exploitation used to deploy unique Cobalt Strike BEACON payloads, and initial access tooling like BazarLoader and Emotet). PACT considers it notable and highly unusual that multiple research teams have observed such a wide spectrum of activity occurring on this infrastructure: phishing, initial access operations, targeted ransomware, and state-backed espionage have all been well documented.
TAG’s disclosure of additional domains allowed PACT’s analysts to conduct additional pivots. Further overlaps were indeed observed, but generally amounted to additional “ancillary evidence” (to borrow a phrase from RiskIQ): 5 domains published by TAG were linked to PACT’s previous findings via pDNS, but all these previous resolutions were part of shared hosting infrastructure that cannot be definitively tied to a single actor or customer. However, PACT found the level of overlap noteworthy: over 80 domains listed as part of the Cobalt Strike infrastructure documented by RiskIQ were linked to the following 5 domains from TAG’s report: chainnews-star[.]com, gbclabs[.]com,blockchainnews[.]vip, giantblock[.]org, ziprecruiters[.]org. The pDNS overlaps formed by these domains is in addition to the current overlap seen with disneycareers[.]net, which TAG assesses is part of the recent North Korean-backed Chrome exploitation activity and hosted on what multiple vendors have assessed to be non-public IP “172.93.201[.]253”. This same IP was the first critical node identified in PACT’s investigation, as a large number of Naver-themed phishing pages with a common registrant resolved to this IP.
Additional feedback from the information security community (hat tip to Zetalytics) turned PACT onto what we assess to be an additional node in this dedicated infrastructure: “23.82.19[.]179”. PACT identified 38 new*/previously-unknown Naver-themed phishing domains after identifying this IP address. 21 previously-known Naver-themed domains were seen resolving to both this IP as well as “23.81.246[.]131”, which formed the initial link between the Naver credential phishing activity and the reported WIZARD SPIDER infrastructure. Further strengthening PACT’s assessment that “23.82.19[.]179” is a part of this cluster of malicious infrastructure is the fact that registrant persona “gameproducters@outlook[.]com” registered all newly-identified domains; this same registrant was identified in PACT’s original reporting. Threat Actor TTP overlaps were also observed and provided added confidence: IP “23.82.19[.]179” serves HTTP/302 redirects to Naver-themed phishing pages hosted on 000webhostapp.com, which was a technique PACT observed previously. Furthermore, this IP is part of Leaseweb, Inc.’s US-based dedicated hosting infrastructure, which PACT identified as the actor’s preferred vendor and geographic location.
*note: PACT included these 38 newly-identified domains in the IOC annex of our report, below.
In summary, the publication of additional information surrounding this infrastructure has led to further uncertainty. The only assessment of near certainty that can be made in light of recent research is that there is a definite nexus of malicious use around this infrastructure. Recent reporting has not altered PACT’s initial assessment of moderate confidence: an as-yet unreported criminal hosting service exists on this infrastructure. The wide variety of malicious activity and distinct operational goals, initially observed by Microsoft and RiskIQ, deserve special attention and analysis.
New Naver-themed phishing domains, identified with 30 Mar 2022 update:
navenidd[.]site
navercomg[.]link
naverbcom[.]link
naveracom[.]link
navreplyg[.]site
navreplyi[.]site
navercomh[.]link
navreplyb[.]live
navercomb[.]link
naverbnid[.]live
navernidc[.]link
navenidb[.]live
navernidd[.]online
navreplyk[.]site
navenidc[.]live
navernidb[.]link
navercome[.]link
navreplye[.]live
naverccom[.]link
navernidc[.]tech
nidnavera[.]online
navreplyf[.]site
nidnavere[.]online
navernidd[.]live
navreplyj[.]site
navernida[.]link
navercomc[.]link
navreplyd[.]live
naveranid[.]link
navercoma[.]link
navercomf[.]link
navercomd[.]link
navreplya[.]online
navreplyh[.]site
navercnid[.]link
navreplya[.]live
navenida[.]live
navernida[.]tech