Iranian COBALT MIRAGE Threat Group Launches Ransomware Attacks Against U.S. Organizations

Iranian state-backed adversaries are accelerating their pace by leveraging different attack vectors and targeting multiple industries across the world. Hot on the heels of the spear-phishing campaign launched by the infamous APT34 group spreading a new Saitama backdoor, another Iran-linked hacking collective hits the headlines performing ransomware attacks against U.S. companies. The Iranian nation-backed COBALT MIRAGE threat group has been observed conducting financially motivated attacks and espionage campaigns with the activity frequently involving ransomware operations.  

COBALT MIRAGE Ransomware Attacks Detection

By adopting a proactive cyber defense approach, organizations can succeed in keeping pace with the rapidly evolving threat landscape. To safeguard your infrastructure against COBALT MIRAGE intrusions, SOC Prime’s platform has released a brand-new Sigma rule crafted by our prolific Threat Bounty developer Kaan Yeniyol. This rule detects the potential adversary scan-and-exploit activity aimed to gain an initial foothold within the victim’s environment:

Suspicious COBALT MIRAGE Ransomware Execution by Creating User Account on Compromised System (via process_creation)

The above-mentioned Sigma rule can be used across 23 SIEM, EDR, and XDR solutions and is mapped to the MITRE ATT&CK® framework, addressing the Execution and Persistence tactics with the corresponding Command and Scripting Interpreter (T1059) and Create Account (T1136) techniques. 

With ransomware campaigns becoming more advanced and widespread, cybersecurity professionals seek more streamlined and efficient ways to withstand them. Click the View Detections button to gain access to the extensive, context-enriched detection algorithms for critical threats, including ransomware attacks. Individual cybersecurity researchers, Detection Engineers, and Threat Hunters are welcome to join the ranks of the Threat Bounty Program enabling them to turn their professional skills into financial benefits via active content contribution.

View Detections Join Threat Bounty

COBALT MIRAGE Activity: Cyber-Attacks Analysis

COBALT MIRAGE intrusions fall into two clusters based on the adversary behavior patterns and goals. The first one leverages BitLocker and DiskCryptor for ransomware campaigns aimed at financial gain, while the second primarily specializes in cyber-attacks to gain initial access and collect intelligence. 

COBALT MIRAGE attacks used to involve scan-and-exploit activity with the 2021 infamous campaigns exploiting Fortinet FortiOS flaws and weaponizing ProxyShell and Log4j vulnerabilities to gain remote access to the victim’s network. After an avalanche of the above-mentioned attacks, CISA and FBI issued the corresponding joint cybersecurity alert notifying U.S. organizations of the Iran-backed hacking group that gains initial access to the compromised systems and deploys ransomware, which can be attributed to COBALT MIRAGE.

According to the cybersecurity researchers, the COBALT MIRAGE activity can be linked to another Iranian-backed hacking collective tracked as COBALT ILLUSION, which actively leverages phishing as the main attack vector for gaining initial access. In addition, some traces of the COBALT MIRAGE activity have been identified as resembling the behavior patterns of two more Iran-linked hacking groups, PHOSPHOROUS and TunnelVision. 

Seeking new ways to boost your cyber defense capabilities while saving hours on threat detection research and content development? Join SOC Prime’s Detection as Code platform to reach the most up-to-date detection content enriched with cyber threat intelligence and aligned with MITRE ATT&CK® to boost your cybersecurity effectiveness.