APT73/ERALEIG NEWS: UNVEILING NEW RANSOMWARE GROUP

NOTE: This is a preliminary report about a new Ransomware which I had unmasked during my Cyber Investigation. There is only a single victim compromised by the Group. There are NO samples out to perform a Malware Analysis.

APT73: Self-Proclaimed “APT” Ransomware Group 😈

Unlike other naming conventions attributed by Researchers to Threat Actors, this group decided themselves to call “APT” (Advanced Persistent Threat) followed by a number.

NOTE: For Example — APT37 is a North Korean Threat Actor Group which is also known as InkySquid/Richochet Chollima.

TA Representation: Jafar with Snake from Aladdin | Source: Pinterest

APT73 is a Ransomware Group that got its spin-off from LockBit. This is observed while inspecting their “Contact Us”, “How to buy Bitcoin” or “Web Security & Bug Bounty” pages which are a replica of LockBit Data Leak Site (DLS).

APT73 Homepage

The contents inside the listed pages are the same as LockBit.

From there, we can estimate that it is a LockBit-styled Ransomware Data Leak Site (DLS).

NOTE: It is not known, how this Ransomware got infected as the sample is not yet available for the public to analyze. However, we can assume it is via Phishing.

There is a section titled Mirrors which does not have any active mirrors, unlike LockBit. This is the only difference in their DLS which makes this group amateurish.

ANALYZING DATA LEAK SITE (DLS)

APT73 Group had named their Data Leak Site “ERALEIGNEWS” which is located at:-

http://eraleignews.com/

While visiting the website, we can see a single leak displayed by the group:-

DLS Page

The leaked victim is TRIFECTA — A Customer Service Platform that centers around Salesforce, based in the United States.

Victim Leak Info

While navigating the Breach Page, we can see the contents in the above-listed Screenshot.

The victim had been given a deadline of 5th April 2024; which indicates that the Data was leaked on the same day.

The data was ONLY downloadable via TOR as the data leak was hosted on a TOR Domain.

qcgv5tfer4f46ns6ohh72zeyyh5uavoiybypzpt3lmwk5ecyqykptgqd.onion

The leak can be found at: http://qcgv5tfer4f46ns6ohh72zeyyh5uavoiybypzpt3lmwk5ecyqykptgqd.onion/files/trifecta.zip

The above URL is NOT active at the moment, hence the leak is NOT downloadable. However, it may come alive in the coming days. The group also listed 3 screenshots that expose sensitive information such as WiFi Passwords, Salesforce Credentials, Security Tokens, etc.

From this, it can be estimated that the group is maintaining a folder “Files” in TOR where all the listed victims will be included shortly. And all the victims would be packaged as “VictimName.zip”. This Modus Operandi is common among Ransomware Groups.

One of the interesting facts is: This group does not promote its website anywhere such as Forums or Telegram Groups as this is a common modus operandi of Ransomware Groups to maximize their DLS for recognition.

This could be due to: The group is earlier at its victimization and might have planned to launch/broadcast their DLS to the general public once they have a large number of victims (At least 5 maybe…who knows!).

🔎HUNTING SERVER INFRASTRUCTURE

While checking the Website Registry, we can estimate that APT73 had registered this domain on 15th December 2023, purchased from Namecheap with Privacy-Enabled to conceal the identity.

On a deeper dive, I found the Real IP Address, which is powering APT73 website:-

176.97.75.205

IP Address Details
==================
Location: Prague, Czechia
Hosted: M247 Europe SRL (Romania-based)
Server: nginx
Organization name: IROKO Networks Corporation (Panama-based) 
ASN: AS9009
Port Used: 8081

NOTE: It was found that AS9009 is highly malicious and has previously been associated with DarkAngels, Vice Society, PYSA/Mespinoza Ransomware Groups which had used the same ASN to host their DLS. The same ASN is also being used by popular malware such as TrickBot, Meduza Stealer, Rimasuta, etc.

While checking the Certificate Transparency (CT); it can be found that the APT73 had used DigiCert for the initial 4 months that expired (recently in this April) and renewed to Google Certificate for their leak site: eraleignews.com.

Following are the fingerprints observed for the leak site:-

SHA-256: f1a00e2fe86455b9d1a384d5e96185e016816acd1d7ef3460e232e9ecb9da794
SHA-1: 94895ed0dc352981fbec38b5348ec3ae3be26371
MD5: 6d170d36a4d6b47987f51445b24e587c 

NOTE: You can save the above fingerprints to cross-check whether any other site does have the same, hence you can prove the co-relation between groups in future.

SOCIAL MEDIA PRESENCE

Although the group had its presence on Telegram, TOX, Twitter/X and Email; they kept it private as the promotion is not done/found anywhere. APT73 started their official Twitter in January 2024 with no tweets.

🇫🇮FINNISH CONNECTION?

Upon analyzing the Twitter 🐦‍⬛Followers of APT73, it is found that the group is following 6 Verified Profiles from Finland out of 8.

Accounts followed by APT73 on Twitter/X

Apart from this, the group is also following South Korean Music Group BTS.

While checking the Follower list of this account, came across this:-

Followers of APT73 Twitter/X Account

The Surname: Solhjem is mostly traced to Norway 🇳🇴(again Scandinavian) and Oshey is having high density in Romania 🇷🇴.

Currently, we cannot tie these identities to APT73, as it could be rogue accounts who casually follow for a follow-back.

From this, we can’t say the group is from Finland, however, APT73 does have a special interest in Finland.

LOGO DECODING

While tracing the logo of APT73; which represents a venomous Snake 🐍Head with Spider🕷️Legs, it was found that the group had taken the logo from Pixabay, which was uploaded on 2nd March 2021.

Evidence: APT73 Official Logo taken from Pixabay

From this, it is found the group had used this “Snake Spider” and the color changed to 🔴RED for using it in their Data Leak Site.

This is a common scenario for new Ransomware Players as I have seen numerous Ransomware Groups usually adopt this technique of logo copying from such sites.

CONCLUSION

From the Domain Registration & First Victim Leak Date, we can assume that the group became active in December 2023 but recently listed its first victim.

From the DLS Analysis, it can be found that the site is not fully operational (at this moment), as the group didn’t provide a valid SONAR ID or PGP Key on their “CONTACT US” page, unlike LockBit in their DLS.

IOCs
====

IP: 176.97.75.205
Domain: eraleignews.com
TOR Domain: qcgv5tfer4f46ns6ohh72zeyyh5uavoiybypzpt3lmwk5ecyqykptgqd.onion
TOX ID: 9796CE1E72A8874D594F6573F44C94FB649473B4194DCD80C406BFE88E4B3662A375E78FB436 
SHA-256: f1a00e2fe86455b9d1a384d5e96185e016816acd1d7ef3460e232e9ecb9da794
SHA-1: 94895ed0dc352981fbec38b5348ec3ae3be26371
MD5: 6d170d36a4d6b47987f51445b24e587c

UPDATE 1:

The Onion download server qku4reiyfcs2vqq5tow2uprhyqhweo56lrgs6457svr3ej4ton5frkad.onion is active now and I have found that the site is hosted with nginx/1.18.0 (Ubuntu).

UPDATE 2:

Currently the website: eraleignews.com is unavailable and only hosted with TOR domain:

Domain: wn6vonooq6fggjdgyocp7bioykmfjket7sbp47cwhgubvowwd7ws5pyd.onion 
Hosted with: nginx server.

TOR Domain Presence

While inspecting the site, it is also found that the group had primarily used their logo (Snake Spider 🐍🕷️) in both RED 🔴and GREEN 🟢color, which was NOT used earlier in their surface domain.

Currently, they have listed a German company and the data will be available on 3rd May, 2024 (if the negotiation fails).

Stay tuned for more updates!!!

Follow me on Twitter/X for interesting DarkWeb/InfoSec Short findings! ;-)

NOTE:- The article is purely Individual Research and is not subjected to be used/published anywhere without the Author’s consent.