Since the evening of July 21, 2014, Dell SecureWorks Counter Threat Unit™ (CTU) researchers have observed a threat group the CTU research team refers to as Threat Group-0110 (TG-0110)[i] phishing many organizations in the manufacturing and financial verticals. TG-0110 is known for using the Pirpi backdoor to access endpoints. Pirpi can search for and exfiltrate files, run other executable files, and execute commands. It also has reverse shell capabilities.
TG-0110 conducted a previous phishing campaign in April 2014 that used the following domains:
- profile . sweeneyphotos . com
- web . usamultimeters . com
- web . boverboya . com
- web . redlancers . com
- inform . bedircati . com
- web . neonbilisim . com
Many of the IP addresses used by TG-0110, including the IP addresses that these domains resolve to, are compromised hosts.
The phishing messages from the April campaign included the following URIs:
- view/item.html?num= CCNNNNNNN
- sub/item.htm?num= CCNNNNNNN
- sub/visit.jsp?docid=CCNNNNNNN
The variable values at the end of the URIs follow the CCNNNNNNN format: two characters (CC) followed by seven numbers (NNNNNNN). Each victim typically has a unique identifier.
CTU researchers associated the July 21 phishing emails with TG-0110 because the URIs used the same CCNNNNNNN pattern as the emails in the April campaign. The July campaign used the domain web . hazarhaliyikama . com, which resolved to 74.168.192.127.
The urlQuery analysis service lists known URIs used by this campaign:
- /doc/reference.cfm?i=GR7107855
- /doc/solo.cfm?cg=RU1372493
- /doc/idear.htm?a=PT0706830
- /doc/tem.aspx?n=EJ4494618
- /doc/list.jsp?x=ME6373829
Some organizations have successfully blocked requests for malicious domains used by TG-0110 by using web proxy filters to restrict domains and URIs categorized as "file sharing," "miscellaneous," "sports and gambling," and "uncategorized." CTU researchers recommend that organizations create and apply network signatures based on the known URI patterns listed above. Organizations should also adopt general security practices to protect themselves from these types of attacks, such as applying security updates as they become available from vendors and educating employees about phishing attacks and techniques.
[i] The CTU research team tracks threat groups by assigning them four-digit randomized numbers (0110 in this case), and compiles information from external sources and from first-hand incident response observations.