October 7, 2022
Iranian cybercrime group Phosphorus is leading a ransomware campaign for personal gain, Microsoft’s threat intelligence center (MSTIC) researchers disclosed yesterday.Security experts believe a subgroup, dubbed Nemesis Kitten and tracked as DEV-0270, leads several malicious operations, including extensive vulnerability scanning, on behalf of the Iranian government.They also suspect that, due to the nature of the attacks,…

Iranian cybercrime group Phosphorus is leading a ransomware campaign for personal gain, Microsoft’s threat intelligence center (MSTIC) researchers disclosed yesterday.

Security experts believe a subgroup, dubbed Nemesis Kitten and tracked as DEV-0270, leads several malicious operations, including extensive vulnerability scanning, on behalf of the Iranian government.

They also suspect that, due to the nature of the attacks, most of which “lacked a strategic value for the regime,” the newly observed campaign may not be coordinated by the government and instead is run for the personal gain of the gang members.

The threat actors attempted to gain access through various known vulnerabilities, such as Exchange, Fortinet, and Log4j 2. After breaching a targeted device or network, the attackers would perform environment discovery and credential theft, achieve persistence, escalate privileges, and deploy evasive techniques to dodge detection.

“The threat group commonly uses native WMI, net, CMD, and PowerShell commands and registry configurations to maintain stealth and operational security,” according to MSTIC’s security advisory. “They also install and masquerade their custom binaries as legitimate processes to hide their presence. Some of the legitimate processes they masquerade their tools as include: dllhost.exe, task_update.exe, user.exe, and CacheTask.”

Security experts noticed that DEV-0270 attacks often enable BitLocker encryption through setup.bat commands, rendering the host device unusable. The hacker group deploys DiskCryptor, an open-source encryption tool, on compromised Windows devices through RDP. Upon launch, the tool starts to encrypt the device’s entire disk drive and locks the victim out of the workstation.

In the security advisory, MSTIC included a series of mitigation tips to deter DEV-0270-specific techniques:

  • Prioritize patching internet-facing Exchange servers
  • Apply security updates and fixes as soon as they become available
  • Use a firewall to prevent RPC and SMB communications
  • Enforce strong administrator password policies
  • Ensure your antivirus software is up to date
  • Back up data to prevent damage from destructive attacks

Specialized software such as Bitdefender Ultimate Security can keep you safe against online threats, with features like:

  • All-round real-time data protection that works against worms, Trojans, zero-days, ransomware, viruses, spyware, rootkits and other e-threats
  • Multi-layer ransomware protection that keeps your files safe from various ransomware attacks
  • Advanced threat defense that closely monitors active apps and acts instantly upon detecting suspicious activity
  • Rescue environment module that removes sophisticated malicious components before Windows starts

Source