Microsoft’s Threat Intelligence Division assessed Wednesday that a subgroup of the Iranian threat actor being tracked as Phosphorus is carrying out ransomware attacks as a “form of moonlighting” for personal gain.
The tech giant, which oversees the business cluster under the name DEV-0270 (aka Nemesis Kitten), said it is operated by a company that operates under the public aliases Secnerd and Lifeweb, citing infrastructure overlaps between the group and the two organizations.
“DEV-0270 leverages exploits for high-severity vulnerabilities to access devices and is known for early adoption of newly disclosed vulnerabilities,” Microsoft said.
“DEV-0270 also makes extensive use of Living Off Earth Binaries (LOLBIN) throughout the attack chain for discovery and access to credentials. This extends to its misuse of built-in BitLocker tool to encrypt files on compromised devices.”
The use of BitLocker and DiskCryptor by Iranian actors for opportunistic ransomware attacks came to light in early May, when Secureworks disclosed a set of intrusions mounted by a threat group it tracks as Cobalt Mirage with ties to Phosphorus (aka Cobalt Illusion) and TunnelVision. .
DEV-0270 is known to scan the internet for servers and devices that may have vulnerabilities in Microsoft Exchange Server, Fortinet FortiGate SSL-VPN, and Apache Log4j to gain initial access, followed by network reconnaissance and theft activities credentials.
Access to the compromised network is gained by establishing persistence via a scheduled task. DEV-0270 then elevates privileges to the system level, allowing it to perform post-exploit actions such as disabling Microsoft Defender Antivirus to evade detection, lateral movement, and file encryption.
“The threat cluster typically uses native WMI, net, CMD, and PowerShell commands and registry configurations to maintain stealth and operational security,” Microsoft said. “They also install and disguise their custom binaries as legitimate processes to hide their presence.”
Users are recommended to prioritize patches of Internet-facing Exchange servers to mitigate risk, prevent network devices such as Fortinet SSL-VPN devices from making arbitrary connections to the Internet, enforce strong passwords, and maintain regular data backups.