Microsoft Reviews APT35/PHOSPHORUS Ransomware Operations

Industry: N/A | Level: Tactical | Source: Microsoft

Microsoft Threat Intelligence team provided research on ransomware operations by Iranian threat actor group, APT35/PHOSPHORUS specifically a sub-group of APT35 tracked as DEV-0270 (aka Nemesis Kitten). Whilst operations from APT35 are often in line with the goals of the Iranian government, the use of ransomware is viewed as a financially motivated endeavor. As assessed by Microsoft, "judging from their geographic and sectoral targeting, which often lacked a strategic value for the regime, we assess with low confidence that some of DEV-0270’s ransomware attacks are a form of moonlighting for personal or company-specific revenue generation." Initial access techniques from DEV-0270 often involve exploiting public-facing applications such as ProxyLogon or Log4Shell. DEV-0270 in their post-compromise stage exclusively leverage living-off-the-land binaries (LOLBINs). Examples of their tactics involve identifying hosts using WMIC, net, and PowerShell for system reconnaissance, comsvcs, and rundll32 for credential harvesting. Lateral movement is achieved by operators disabling Windows Defender, enabling RDP in the registry, and adding firewall rules to enable RDP. The attackers have run encoded PowerShell commands to encrypt the victim's hosts with BitLocker.

Anvilogic Scenario:

• APT35: Recon, Def Evasion, Credential Access and Lateral Mov

Anvilogic Use Cases:

• comsvcs.dll Lsass Memory Dump
• Create/Add Local/Domain User
• Impacket/Empire's WMIExec

‍