APT73/ERALEIG NEWS: UNVEILING NEW RANSOMWARE GROUP
NOTE: This is a preliminary report about a new Ransomware which I had unmasked during my Cyber Investigation. There is only a single victim compromised by the Group. There are NO samples out to perform a Malware Analysis.
APT73: Self-Proclaimed “APT” Ransomware Group 😈
Unlike other naming conventions attributed by Researchers to Threat Actors, this group decided themselves to call “APT” (Advanced Persistent Threat) followed by a number.
NOTE: For Example — APT37 is a North Korean Threat Actor Group which is also known as InkySquid/Richochet Chollima.
APT73 is a Ransomware Group that got its spin-off from LockBit. This is observed while inspecting their “Contact Us”, “How to buy Bitcoin” or “Web Security & Bug Bounty” pages which are a replica of LockBit Data Leak Site (DLS).
The contents inside the listed pages are the same as LockBit.
From there, we can estimate that it is a LockBit-styled Ransomware Data Leak Site (DLS).
NOTE: It is not known, how this Ransomware got infected as the sample is not yet available for the public to analyze. However, we can assume it is via Phishing.
There is a section titled Mirrors which does not have any active mirrors, unlike LockBit. This is the only difference in their DLS which makes this group amateurish.
ANALYZING DATA LEAK SITE (DLS)
APT73 Group had named their Data Leak Site “ERALEIGNEWS” which is located at:-
While visiting the website, we can see a single leak displayed by the group:-
The leaked victim is TRIFECTA — A Customer Service Platform that centers around Salesforce, based in the United States.
While navigating the Breach Page, we can see the contents in the above-listed Screenshot.
The victim had been given a deadline of 5th April 2024; which indicates that the Data was leaked on the same day.
The data was ONLY downloadable via TOR as the data leak was hosted on a TOR Domain.
qcgv5tfer4f46ns6ohh72zeyyh5uavoiybypzpt3lmwk5ecyqykptgqd.onion
The leak can be found at: http://qcgv5tfer4f46ns6ohh72zeyyh5uavoiybypzpt3lmwk5ecyqykptgqd.onion/files/trifecta.zip
The above URL is NOT active at the moment, hence the leak is NOT downloadable. However, it may come alive in the coming days. The group also listed 3 screenshots that expose sensitive information such as WiFi Passwords, Salesforce Credentials, Security Tokens, etc.
From this, it can be estimated that the group is maintaining a folder “Files” in TOR where all the listed victims will be included shortly. And all the victims would be packaged as “VictimName.zip”. This Modus Operandi is common among Ransomware Groups.
One of the interesting facts is: This group does not promote its website anywhere such as Forums or Telegram Groups as this is a common modus operandi of Ransomware Groups to maximize their DLS for recognition.
This could be due to: The group is earlier at its victimization and might have planned to launch/broadcast their DLS to the general public once they have a large number of victims (At least 5 maybe…who knows!).
🔎HUNTING SERVER INFRASTRUCTURE
While checking the Website Registry, we can estimate that APT73 had registered this domain on 15th December 2023, purchased from Namecheap with Privacy-Enabled to conceal the identity.
On a deeper dive, I found the Real IP Address, which is powering APT73 website:-
176.97.75.205
IP Address Details
==================
Location: Prague, Czechia
Hosted: M247 Europe SRL (Romania-based)
Server: nginx
Organization name: IROKO Networks Corporation (Panama-based)
ASN: AS9009
Port Used: 8081
NOTE: It was found that AS9009 is highly malicious and has previously been associated with DarkAngels, Vice Society, PYSA/Mespinoza Ransomware Groups which had used the same ASN to host their DLS. The same ASN is also being used by popular malware such as TrickBot, Meduza Stealer, Rimasuta, etc.
While checking the Certificate Transparency (CT); it can be found that the APT73 had used DigiCert for the initial 4 months that expired (recently in this April) and renewed to Google Certificate for their leak site: eraleignews.com.
Following are the fingerprints observed for the leak site:-
SHA-256: f1a00e2fe86455b9d1a384d5e96185e016816acd1d7ef3460e232e9ecb9da794
SHA-1: 94895ed0dc352981fbec38b5348ec3ae3be26371
MD5: 6d170d36a4d6b47987f51445b24e587c
NOTE: You can save the above fingerprints to cross-check whether any other site does have the same, hence you can prove the co-relation between groups in future.
SOCIAL MEDIA PRESENCE
Although the group had its presence on Telegram, TOX, Twitter/X and Email; they kept it private as the promotion is not done/found anywhere. APT73 started their official Twitter in January 2024 with no tweets.
🇫🇮FINNISH CONNECTION?
Upon analyzing the Twitter 🐦⬛Followers of APT73, it is found that the group is following 6 Verified Profiles from Finland out of 8.
Apart from this, the group is also following South Korean Music Group BTS.
While checking the Follower list of this account, came across this:-
The Surname: Solhjem is mostly traced to Norway 🇳🇴(again Scandinavian) and Oshey is having high density in Romania 🇷🇴.
Currently, we cannot tie these identities to APT73, as it could be rogue accounts who casually follow for a follow-back.
From this, we can’t say the group is from Finland, however, APT73 does have a special interest in Finland.
LOGO DECODING
While tracing the logo of APT73; which represents a venomous Snake 🐍Head with Spider🕷️Legs, it was found that the group had taken the logo from Pixabay, which was uploaded on 2nd March 2021.
From this, it is found the group had used this “Snake Spider” and the color changed to 🔴RED for using it in their Data Leak Site.
This is a common scenario for new Ransomware Players as I have seen numerous Ransomware Groups usually adopt this technique of logo copying from such sites.
CONCLUSION
From the Domain Registration & First Victim Leak Date, we can assume that the group became active in December 2023 but recently listed its first victim.
From the DLS Analysis, it can be found that the site is not fully operational (at this moment), as the group didn’t provide a valid SONAR ID or PGP Key on their “CONTACT US” page, unlike LockBit in their DLS.
IOCs
====
IP: 176.97.75.205
Domain: eraleignews.com
TOR Domain: qcgv5tfer4f46ns6ohh72zeyyh5uavoiybypzpt3lmwk5ecyqykptgqd.onion
TOX ID: 9796CE1E72A8874D594F6573F44C94FB649473B4194DCD80C406BFE88E4B3662A375E78FB436
SHA-256: f1a00e2fe86455b9d1a384d5e96185e016816acd1d7ef3460e232e9ecb9da794
SHA-1: 94895ed0dc352981fbec38b5348ec3ae3be26371
MD5: 6d170d36a4d6b47987f51445b24e587c
UPDATE 1:
The Onion download server qku4reiyfcs2vqq5tow2uprhyqhweo56lrgs6457svr3ej4ton5frkad.onion is active now and I have found that the site is hosted with nginx/1.18.0 (Ubuntu).
UPDATE 2:
Currently the website: eraleignews.com is unavailable and only hosted with TOR domain:
Domain: wn6vonooq6fggjdgyocp7bioykmfjket7sbp47cwhgubvowwd7ws5pyd.onion
Hosted with: nginx server.
While inspecting the site, it is also found that the group had primarily used their logo (Snake Spider 🐍🕷️) in both RED 🔴and GREEN 🟢color, which was NOT used earlier in their surface domain.
Currently, they have listed a German company and the data will be available on 3rd May, 2024 (if the negotiation fails).
UPDATE: 3
The group continued their attack in June and came to a halt for 2 months. In July and August, they decommissioned their old DLS Domains and went offline.
The group made a comeback in September 2024 and listed:
3 Victims in September
6 Victims in October
Till now, the group had listed about 20 Genuine Victims mostly affecting UK 🇬🇧 topping the list with 9 Victims, US 🇺🇸 with 5 Victims and Switzerland 🇨🇭with 2 Victims.
The most penetrated sector by the group is: IT/Software resulting in 7 victims and 3 Sectors related to Services behind.
Here is the breakdown of the Victims infected by APT73/Eraleig
REBRANDING INTO “BASHE”
In October 2024, the group adopted a new name for their Ransomware Project and re-titled as BASHE.
To strengthen this, the group had also started to operate 2 Vanity TOR Domains that starts with “Bashe”.
The domains are:-
basheqtvzqwz4vp6ks5lm2ocq7i6tozqgf6vjcasj4ezmsy4bkpshhyd.onion
bashe4aec32kr6zbifwd5x6xgjsmhg4tbowrbx4pneqhc5mqooyifpid.onion
In this, the first domain is used as DLS and 2nd Domain is used as storage for the leaks. Both are hosted in Nginx, as previously hosted.
DATA LEAKS RECYCLED
It is found that the group had also listed previous leaks which are from BlackBasta Ransomware Group:-
Gannons
Thompsoncreek
NorthernSafety
MGFSourcing
HPECDS
Modplan
pkaufmann
Additionally, the group had also included the databases of companies which are previously leaked on dark web forums such as:-
Appen
Filmai.in
Robinhood
NOTE: The above genuine list does not included the breaches from BlackBasta or Forum Leaks.
This could be done by the group to embellish their victim list and create an aura of larger Ransomware Groups. The same modus operandi had been adopted by many other groups previously.
Stay tuned for more updates!!!
Follow me on Twitter/X for interesting DarkWeb/InfoSec Short findings! ;-)
NOTE:- The article is purely Individual Research and is not subjected to be used/published anywhere without the Author’s consent.