Iran-linked COBALT MIRAGE group uses ransomware in its operations

Iran-linked COBALT MIRAGE group uses ransomware in its operations

Iranian group used Bitlocker and DiskCryptor in a series of attacks targeting organizations in Israel, the US, Europe, and Australia.

Researchers at Secureworks Counter Threat Unit (CTU) are investigating a series of attacks conducted by the Iran-linked COBALT MIRAGE APT group. The threat actors have been active since at least June 2020 and are linked to the Iranian COBALT ILLUSION group (aka APT35, Charming Kitten, PHOSPHOROUS and TunnelVision).

The researchers identified two distinct clusters of intrusions (labeled as Cluster A and Cluster B) associated with COBALT MIRAGE.


In Cluster A, the APT group use BitLocker and DiskCryptor to conduct financially motivated opportunistic ransomware attacks. Cluster B focuses on targeted attacks for intelligence purposes, but experts observed some attacks deploying ransomware.

Most of the victims are in Israel, the U.S., Europe, and Australia. The threat actors obtain initial access by scanning servers exposed online and exploiting known vulnerabilities such as Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. Starting from late September 2021, the group was observed targeting Microsoft Exchange servers by exploiting the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to deploy Fast Reverse Proxy client (FRPC) and gain remote access to the systems.

The researchers have also observed COBALT MIRAGE using at the end of December an unfinished attempt at ransomware, while their infrastructure was hosting files related to to the HiddenTear open-source ransomware project, the latter has yet to be used by the group in attacks in the wild.

“The January and March incidents typify the different styles of attacks conducted by COBALT MIRAGE. While the threat actors appear to have had a reasonable level of success gaining initial access to a wide range of targets, their ability to capitalize on that access for financial gain or intelligence collection appears limited.” concludes the report. “At a minimum, COBALT MIRAGE’s ability to use publicly available encryption tools for ransomware operations and mass scan-and-exploit activity to compromise organizations creates an ongoing threat.”

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit:  

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, COBALT MIRAGE)

Leave a Reply

Your email address will not be published. Required fields are marked *