Cobalt Mirage, a well-known APT group, recently took a page out of cybercriminals’ modus operandi—using ransomware—to go after targets earlier this month.1 So far, only 11 domains and two IP addresses have been publicized as indicators of compromise (IoCs).2
In an effort to help organizations avoid becoming the next victims, we uncovered more artifacts, including:
- A few unredacted registrant email addresses from the domain IoCs’ WHOIS records
- 600+ domains that shared the domain IoCs’ registrant email addresses or IP address resolutions, a couple of which are considered malicious
- 20,000+ domains that contained similar strings or string combinations as the domain IoCs, only two of which belonged to the mimicked companies (Microsoft or Symantec) and 7% were dubbed “malicious”
Download a sample of the threat research materials now or contact us to access the complete set of research materials.
---
- [1] https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us
- [2] https://otx.alienvault.com/pulse/628272df97a93a0472223dd3