Last month, the FBI issued a warning about a ransomware group dubbed "OnePercent" targeting U.S. companies. The threat actors utilized malicious macros in phishing email attachments to infect victims with the ICEDID banking trojan, which in turn downloaded Cobalt Strike. OnePercent were able to spread through the network with Cobalt Strike's lateral movement capabilities (mostly using PowerShell remoting), after which it encrypted and exfiltrated data from the victim's network. Then comes the ransom part - the actors contacted their victims via email or phone and threatened to release their data on the TOR network if they don't pay up.
Our security research team has been monitoring the ransomware group's infrastructure activity, and have noticed that the domains used for their campaign have migrated to a new IP not mentioned in the earlier FBI report - 34.231.28[.]159. This Amazon IP is no newcomer to the malware scene. Virustotal shows a ton of badness hosted on there, including DGA-like domain patterns, rotating over time (examples of which can be seen in the picture below). More IOC info, including malicious domain resolves from the IP over the last 14 days, can be found at the end of this post.
But that's not all - our team has seen ongoing communication attempts from six of the domains in the FBI report on OnePercent. The following domains have tried to connect to our customer networks almost a million times over the last week (935K to be exact), only to be blocked by ThreatSTOP - nix1[.]xyz, golddisco[.]top, delokijio[.]pw, june85[.]cyou, intensemisha[.]cyou, biggarderoub[.]cyou.
If anyone had doubts about OnePercent continuing their activity after being outed and shamed by the FBI - we advise thinking again. Even after big-name security companies, or even law enforcement, publicly post indicators of compromise, infection vectors, and technical details on malware attacks, the operations often don't shut down, and many internet users stay completely vulnerable to them. ThreatSTOP protection combines threat intelligence about new attacks like this one, with research on bad areas of the internet you should block even before they've been publicly outed for hosting a specific attack. Or in other words - we stop threats before you read about it.
ThreatSTOP recommends blocking communication to and from the IOCs related to this campaign.
OnePercent Ransomware Group IOCs:
nix1[.]xyz | biggarderoub[.]cyou | 167.71.224[.]39 |
golddisco[.]top | d30qpb9e10re4o.cloudfront[.]net | 80.82.67[.]221 |
delokijio[.]pw | 157.245.239[.]187 | 138.197.179[.]153 |
june85[.]cyou | 31.187.64[.]199 | 134.209.203[.]30 |
intensemisha[.]cyou | 206.189.227[.]145 | 34.231.28[.]159 |
Past 14-day domain resolves from 34.231.28[.]159, flagged as malicious by VirusTotal:
10feeds[.]com | danylmassey574[.]xyz | wpdsfds23x[.]com |
2kiljiondo[.]cyou | applockkeep[.]xyz | www.wpdsfds23x[.]com |
kasprsky[.]info | data.applockkeep[.]xyz | www.w7dslkipoja[.]com |
8hh3aktk2.kasprsky[.]info | mxi.applockmaster[.]xyz | dtc.and.ciaociaoline[.]com |
cigy2jft92.kasprsky[.]info | poslity[.]com | eri.and.ciaociaoline[.]com |
appsprovider[.]com | testdomain0x00[.]xyz | ffq.and.ciaociaoline[.]com |
www.denazao[.]info | wa1a1[.]com | hkn.and.ciaociaoline[.]com |
bulktrumpbun[.]top | www.wa1a1[.]com | hni.and.ciaociaoline[.]com |
ins34devicci[.]top | webtinchap[.]com | hrn.and.ciaociaoline[.]com |
Get an expert-led overview of ThreatSTOP or start a free trial today: