Skip to Main ContentSkip to Footer
$(CTUBlog)

Threat Group-0110 Targets Manufacturing and Financial Organizations Via Phishing

Threat Group-0110 Targets Manufacturing and Financial Organizations Via Phishing
July 25, 2014

Since the evening of July 21, 2014, Dell SecureWorks Counter Threat Unit™ (CTU) researchers have observed a threat group the CTU research team refers to as Threat Group-0110 (TG-0110)[i] phishing many organizations in the manufacturing and financial verticals. TG-0110 is known for using the Pirpi backdoor to access endpoints. Pirpi can search for and exfiltrate files, run other executable files, and execute commands. It also has reverse shell capabilities.

TG-0110 conducted a previous phishing campaign in April 2014 that used the following domains:

  • profile . sweeneyphotos . com
  • web . usamultimeters . com
  • web . boverboya . com
  • web . redlancers . com
  • inform . bedircati . com
  • web . neonbilisim . com

Many of the IP addresses used by TG-0110, including the IP addresses that these domains resolve to, are compromised hosts.

The phishing messages from the April campaign included the following URIs:

  • view/item.html?num= CCNNNNNNN
  • sub/item.htm?num= CCNNNNNNN
  • sub/visit.jsp?docid=CCNNNNNNN

The variable values at the end of the URIs follow the CCNNNNNNN format: two characters (CC) followed by seven numbers (NNNNNNN). Each victim typically has a unique identifier.

CTU researchers associated the July 21 phishing emails with TG-0110 because the URIs used the same CCNNNNNNN pattern as the emails in the April campaign. The July campaign used the domain web . hazarhaliyikama . com, which resolved to 74.168.192.127.

The urlQuery analysis service lists known URIs used by this campaign:

  • /doc/reference.cfm?i=GR7107855
  • /doc/solo.cfm?cg=RU1372493
  • /doc/idear.htm?a=PT0706830
  • /doc/tem.aspx?n=EJ4494618
  • /doc/list.jsp?x=ME6373829

Some organizations have successfully blocked requests for malicious domains used by TG-0110 by using web proxy filters to restrict domains and URIs categorized as "file sharing," "miscellaneous," "sports and gambling," and "uncategorized." CTU researchers recommend that organizations create and apply network signatures based on the known URI patterns listed above. Organizations should also adopt general security practices to protect themselves from these types of attacks, such as applying security updates as they become available from vendors and educating employees about phishing attacks and techniques.

 

[i] The CTU research team tracks threat groups by assigning them four-digit randomized numbers (0110 in this case), and compiles information from external sources and from first-hand incident response observations.


ABOUT THE AUTHOR
COUNTER THREAT UNIT RESEARCH TEAM
Secureworks Counter Threat Unit™ (CTU) researchers frequently serve as expert resources for the media, publish technical analyses for the security community, and speak about emerging threats at security conferences. Leveraging Secureworks’ advanced security technologies and a network of industry contacts, the CTU™ research team tracks threat actors and analyzes anomalous activity, uncovering new attack techniques and threats. This process enables CTU researchers to identify threats as they emerge and develop countermeasures that protect customers before damage can occur.
Revenir aux blogs

GET THE LATEST SECURITY UPDATES

Thank you for your submission.

ESSAYEZ TAEGIS DÈS AUJOURD'HUI !

Voyez par vous-même : Demandez votre démo pour voir comment Taegis peut réduire les risques, optimiser les investissements de sécurité existants et pallier la pénurie de talents.