Wizard Spider continues to confound

Authored by: Matt Stafford

Google’s Threat Analysis Group (TAG) published a report on 24 Mar 2022 titled, Countering threats from North Korea. In this report, TAG details the operations of North Korean state-backed threat actors engaged in active exploitation of a RCE vulnerability in Google Chrome. TAG lists several domains they assess are owned by the threat actors, one of which is “disneycareers[.]net”. This domain immediately caught PACT’s attention, as it was one of the anomalous findings we documented in our initial report on 15 Mar 2022 titled “What Wicked Webs We Un-Weave”. To quickly summarize: PACT identified this (apparently unrelated) domain hosted on dedicated infrastructure that was primarily being used to host extensive Naver-themed phishing activity. Two weeks ago (see update to the original blog on 18 Mar 2022), Google TAG published their assessment that an Initial Access Broker (IAB) with ties to the Conti ransomware gang was using this infrastructure as well. Prior to that, RiskIQ and Microsoft had identified at least three distinct clusters of activity (WIZARD SPIDER, zero-day exploitation used to deploy unique Cobalt Strike BEACON payloads, and initial access tooling like BazarLoader and Emotet). PACT considers it notable and highly unusual that multiple research teams have observed such a wide spectrum of activity occurring on this infrastructure: phishing, initial access operations, targeted ransomware, and state-backed espionage have all been well documented.

TAG’s disclosure of additional domains allowed PACT’s analysts to conduct additional pivots. Further overlaps were indeed observed, but generally amounted to additional “ancillary evidence” (to borrow a phrase from RiskIQ): 5 domains published by TAG were linked to PACT’s previous findings via pDNS, but all these previous resolutions were part of shared hosting infrastructure that cannot be definitively tied to a single actor or customer. However, PACT found the level of overlap noteworthy: over 80 domains listed as part of the Cobalt Strike infrastructure documented by RiskIQ were linked to the following 5 domains from TAG’s report: chainnews-star[.]com, ​​gbclabs[.]com,blockchainnews[.]vip, giantblock[.]org, ziprecruiters[.]org. The pDNS overlaps formed by these domains is in addition to the current overlap seen with disneycareers[.]net, which TAG assesses is part of the recent North Korean-backed Chrome exploitation activity and hosted on what multiple vendors have assessed to be non-public IP “172.93.201[.]253”. This same IP was the first critical node identified in PACT’s investigation, as a large number of Naver-themed phishing pages with a common registrant resolved to this IP.

Additional feedback from the information security community (hat tip to Zetalytics) turned PACT onto what we assess to be an additional node in this dedicated infrastructure: “23.82.19[.]179”. PACT identified 38 new*/previously-unknown Naver-themed phishing domains after identifying this IP address. 21 previously-known Naver-themed domains were seen resolving to both this IP as well as “23.81.246[.]131”, which formed the initial link between the Naver credential phishing activity and the reported WIZARD SPIDER infrastructure. Further strengthening PACT’s assessment that “23.82.19[.]179” is a part of this cluster of malicious infrastructure is the fact that registrant persona “gameproducters@outlook[.]com” registered all newly-identified domains; this same registrant was identified in PACT’s original reporting. Threat Actor TTP overlaps were also observed and provided added confidence: IP “23.82.19[.]179” serves HTTP/302 redirects to Naver-themed phishing pages hosted on 000webhostapp.com, which was a technique PACT observed previously. Furthermore, this IP is part of Leaseweb, Inc.’s US-based dedicated hosting infrastructure, which PACT identified as the actor’s preferred vendor and geographic location.

*note: PACT included these 38 newly-identified domains in the IOC annex of our report, below.

In summary, the publication of additional information surrounding this infrastructure has led to further uncertainty. The only assessment of near certainty that can be made in light of recent research is that there is a definite nexus of malicious use around this infrastructure. Recent reporting has not altered PACT’s initial assessment of moderate confidence: an as-yet unreported criminal hosting service exists on this infrastructure. The wide variety of malicious activity and distinct operational goals, initially observed by Microsoft and RiskIQ, deserve special attention and analysis.

New Naver-themed phishing domains, identified with 30 Mar 2022 update:

navenidd[.]site

navercomg[.]link

naverbcom[.]link

naveracom[.]link

navreplyg[.]site

navreplyi[.]site

navercomh[.]link

navreplyb[.]live

navercomb[.]link

naverbnid[.]live

navernidc[.]link

navenidb[.]live

navernidd[.]online

navreplyk[.]site

navenidc[.]live

navernidb[.]link

navercome[.]link

navreplye[.]live

naverccom[.]link

navernidc[.]tech

nidnavera[.]online

navreplyf[.]site

nidnavere[.]online

navernidd[.]live

navreplyj[.]site

navernida[.]link

navercomc[.]link

navreplyd[.]live

naveranid[.]link

navercoma[.]link

navercomf[.]link

navercomd[.]link

navreplya[.]online

navreplyh[.]site

navercnid[.]link

navreplya[.]live

navenida[.]live

navernida[.]tech