HP Threat Research Blog MirrorBlast and TA505: Examining Similarities in Tactics, Techniques and Procedures

October 19, 2021 Category: Threat Research By: Patrick Schläpfer Comments: 0

MirrorBlast and TA505: Examining Similarities in Tactics, Techniques and Procedures

What is MirrorBlast?

MirrorBlast is a new malware campaign first observed at the end of September 2021. The malware was named by Proofpoint Emerging Threats Labs, whose signatures recognize the malware based on its command and control (C2) traffic. Since then, the malware has been spotted in several campaigns, each showing similar infection chains. The following graphic shows the rough sequence of a MirrorBlast campaign.

Figure 1 – Infection chain of a MirrorBlast campaign seen in October 2021.

Is MirrorBlast a campaign from TA505?

After MirrorBlast’s emergence, some security researchers speculated that it could be linked to TA505. Comparing MirrorBlast activity to historical TA505 Get2/SDBBot campaigns revealed numerous similarities in tactics, techniques and procedures (TTPs). We assess that these similarities significantly strengthen the hypothesis that MirrorBlast and TA505 are linked. In this article, we describe some of these similarities:

  • Similarities in modus operandi
  • Similar domain registration patterns
  • Campaign cadence
  • Similar download websites and lure documents
  • Similar target selection mechanisms
  • Follow-up malware

Similarities in Modus Operandi

The Get2/SDBBot campaign TTPs were always similar, as if the group followed a strict playbook: The domains were registered, the download website was set up, and before the malware was distributed, the attackers uploaded a legitimate document to the download website. This was probably for testing purposes. Sometimes it was an empty document or one containing the characters “123”. But occasionally the attackers uploaded Excel documents containing several spreadsheets and legitimate content. For example, Figure 2 shows the test document that was uploaded during the Get2/SDBBot campaign on 14 September 2020.

Looking at the MirrorBlast campaigns, the threat actor behaved similarly. The campaign on 14 October 2021 was notable. Like TA505, the attackers registered domains, published the download website, and uploaded a test document. Strikingly, this test document was the same document as used by TA505 in a campaign in 2020, demonstrating an overlap in the attackers’ methods as well as the tools they use.

Figure 2 – Legitimate Excel file uploaded to TA505 and MirrorBlast malware distribution websites.

Similar Domain Registration Patterns

In Get2/SDBBot campaigns, TA505 registered new domains that had recognizable characteristics:

  • Most domains impersonated well-known online services or used related keywords
  • The domains often contained one or more hyphen characters to separate words
  • The domains used the top-level domain .com

Here are some examples of known TA505 domains:

Known TA505 Domains
xbox-en-cnd[.]com
one-drive-storage[.]com
store-in-box[.]com
microsoft-store-drm-server[.]com
clouds-doanload-cnd[.]com
microsoft-sback-server[.]com
one-drive-ms[.]com
owncloud-cdn[.]com
cdn-onedrive-live[.]com
office-en-service[.]com

 

As you can see, the domains follow a consistent naming convention. Moreover, the combination of certain domain registrars and DNS service providers is also a good indicator of new TA505 domains. Figure 3 shows the domain registrars used in the documented TA505 campaigns from September 2019 to December 2020. Most of the time, Eranet International Limited was used to register the new domains and only rarely were others used. But in November and December 2020 this pattern changed when most domains were registered through Cnobin Information Technology Limited. After that, no more TA505 Get2/SDBBot campaigns ceased, resulting in no temporal overlap with MirrorBlast campaigns.

Figure 3 – TA505 domain registrations by registrar, September 2019 to December 2020.

As of October 2021, there are only a few known MirrorBlast domains. However, even the limited data suggest a consistent pattern in MirrorBlast domain registrations. As with TA505, the attackers imitate a well-known online service and often delimit keywords in their domains with hyphens. The threat actor behind the MirrorBlast campaigns used Cnobin Information Technology Limited to register their domains. This domain registrar was used by TA505 at the time of their last known activity in late 2020. There is no overlap in DNS service providers, since TA505 only used DNSPod and Cloudflare.