Brother
Professional
- Messages
- 2,590
- Reaction score
- 539
- Points
- 113
How a randomly created malware became an object of research in the cybercrime world.
In recent months, 3AM (ThreeAM), a new player in the cybercrime arena, has attracted the attention of Intrinsec specialists and has shown close ties to the Conti syndicate and the Royal group.
Innovative methods of blackmail and data leakage
A unique feature of 3AM is their innovative blackmail tactics. The group spreads information about the data leak through victims social networks, using bots to send messages to official accounts on the X platform, indicating data leaks.
Direct connection to Conti and Royal ransomware
The first reports of 3AM activity appeared in September, when the Symantec team discovered that attackers were switching to ThreeAM software after a failed attempt to deploy the LockBit malware. Further research revealed that ThreeAM is most likely related to the Royal group, which was renamed Blacksuit and consists of former members of the Team 2 group within the Conti syndicate.
Technical evidence and infrastructure analysis
Intrinsec specialists found a significant overlap in communication channels, infrastructure, and TTPs (Tactics, Techniques, and Procedures) between 3AM and Conti. By tracking the IP address listed by Symantec as a compromise indicator (185.202.0 [.] 111), the researchers found a PowerShell script to run Cobalt Strike, which was discovered back in 2020. In addition, activity similar to the Zeon ransomware program was observed, as well as the use of IcedID malware, previously used by the XingLocker and Conti groups to deliver malware.
The researchers also found that the HTML content of the 3AM data leak site on the Tor network was indexed by the Shodan platform for servers connected to the Internet, which means that it was accessible via the regular web. The 3AM data leak site on the Tor network shows a list of 19 victims who did not pay the ransom and whose data was published. Surprisingly, the 3AM site is very similar to the LockBit grouping leak site.
Communication with the Lithuanian company Cherry Servers
The researchers also found a link between 3AM and the servers of the Lithuanian company Cherry Servers. A distinctive feature was the use of the same ports, protocols, and versions of Apache products on 27 of the company's servers.
Cherry Servers is a hosting company that has a relatively low risk of fraud, but researchers found that the company's customers hosted the Cobalt Strike tool on their servers. In addition, the domains on the analyzed IP addresses had TLS certificates from Google Trust Services LLC and were transferred to Cloudflare.
Social Media Innovation
The Intrinsec team found that 3AM was probably testing a new blackmail tactic using automated responses in X* to spread news of successful attacks. This tactic was used only in one case with the 3AM victim, which indicates its limited effectiveness.
Although ThreeAM appears to be a less sophisticated subgroup of Royal, it should not be underestimated because of its potential to conduct a large number of attacks. This highlights the ever-changing nature of cybercrime and the difficulty of tracking down members of specific groups or linking them to operations.
In recent months, 3AM (ThreeAM), a new player in the cybercrime arena, has attracted the attention of Intrinsec specialists and has shown close ties to the Conti syndicate and the Royal group.
Innovative methods of blackmail and data leakage
A unique feature of 3AM is their innovative blackmail tactics. The group spreads information about the data leak through victims social networks, using bots to send messages to official accounts on the X platform, indicating data leaks.
Direct connection to Conti and Royal ransomware
The first reports of 3AM activity appeared in September, when the Symantec team discovered that attackers were switching to ThreeAM software after a failed attempt to deploy the LockBit malware. Further research revealed that ThreeAM is most likely related to the Royal group, which was renamed Blacksuit and consists of former members of the Team 2 group within the Conti syndicate.
Technical evidence and infrastructure analysis
Intrinsec specialists found a significant overlap in communication channels, infrastructure, and TTPs (Tactics, Techniques, and Procedures) between 3AM and Conti. By tracking the IP address listed by Symantec as a compromise indicator (185.202.0 [.] 111), the researchers found a PowerShell script to run Cobalt Strike, which was discovered back in 2020. In addition, activity similar to the Zeon ransomware program was observed, as well as the use of IcedID malware, previously used by the XingLocker and Conti groups to deliver malware.
The researchers also found that the HTML content of the 3AM data leak site on the Tor network was indexed by the Shodan platform for servers connected to the Internet, which means that it was accessible via the regular web. The 3AM data leak site on the Tor network shows a list of 19 victims who did not pay the ransom and whose data was published. Surprisingly, the 3AM site is very similar to the LockBit grouping leak site.
Communication with the Lithuanian company Cherry Servers
The researchers also found a link between 3AM and the servers of the Lithuanian company Cherry Servers. A distinctive feature was the use of the same ports, protocols, and versions of Apache products on 27 of the company's servers.
Cherry Servers is a hosting company that has a relatively low risk of fraud, but researchers found that the company's customers hosted the Cobalt Strike tool on their servers. In addition, the domains on the analyzed IP addresses had TLS certificates from Google Trust Services LLC and were transferred to Cloudflare.
Social Media Innovation
The Intrinsec team found that 3AM was probably testing a new blackmail tactic using automated responses in X* to spread news of successful attacks. This tactic was used only in one case with the 3AM victim, which indicates its limited effectiveness.
Although ThreeAM appears to be a less sophisticated subgroup of Royal, it should not be underestimated because of its potential to conduct a large number of attacks. This highlights the ever-changing nature of cybercrime and the difficulty of tracking down members of specific groups or linking them to operations.
