Security researchers have linked multiple ransomware campaigns to DEV–0270 (also known as Nemesis Kitten).
The threat actor, widely considered a sub–group of Iranian actor PHOSPHORUS, conducts various malicious network operations on behalf of the Iranian government, according to a new write–up by Microsoft.
However, judging from the threat actor’s geographic and sectoral targeting (which often lacked a strategic value for the regime), Microsoft also speculated that some of DEV–0270’s attacks might be a form of moonlighting for personal or company–specific revenue generation.
From a technical standpoint, the tech giant said DEV–0270 leverages exploits, particularly for newly disclosed high–severity vulnerabilities, to gain access to devices.
“DEV–0270 also extensively uses living–off–the–land binaries (LOLBins) throughout the attack chain for discovery and credential access. This extends to its abuse of the built–in BitLocker tool to encrypt files on compromised devices,” the Microsoft advisory explained.
The threat actor usually obtains initial access with administrator or system–level privileges by injecting their web shell into a privileged process on a vulnerable web server. It then uses Impacket’s WMIExec to move to other systems on the network laterally and adds or creates a new user account to maintain persistence.
DEV–0270 was also seen using several defensive evasion techniques to avoid detection, including turning off Microsoft Defender Antivirus.
In some cases where encryption was successful, Microsoft said the time to ransom (TTR) between initial access and the ransom note was reportedly around two days.
“The group has been observed demanding USD 8,000 for decryption keys,” the company wrote. “In addition, the actor has been observed pursuing other avenues to generate income through their operations.”
For instance, in one attack observed by Microsoft, a victim organization refused to pay the ransom, so the actor posted the stolen data from the organization for sale packaged in an SQL database dump.
“We hope this analysis, which Microsoft is using to protect customers from related attacks, further exposes and disrupts the expansion of DEV–0270’s operations,” the tech giant wrote.
A full list of DEV–0270’s tactics and techniques, alongside some mitigation steps for the threat, are available in the original text of the Microsoft advisory.
The blog post comes days after Iran–based threat actor MuddyWater was seen leveraging the exploitation of Log4j 2 vulnerabilities in SysAid applications to target organizations in Israel.