Trend
Affiliates
The threat landscape continued moving toward a software-as-a-service (SaaS) economy, muddying the already murky waters of attribution.
Pairs With This Song
Threat sounds
You never know who’s gonna show up for a verse on a Snoop Dogg track, and with the new as-as-service economy taking hold, ransomware operators have also embraced the power of collaboration.
Editors’ note: While the analysis and detection opportunities remain applicable, this page has not been updated since 2022.
The term “affiliate” has been increasingly used to describe the cybercrime ecosystem’s evolution into a software-as-a-service (SaaS) economy. Borrowed from the subscription-based software specialization strategy, an “affiliate” refers to the provider-customer relationship of malicious services. In the cybercrime ecosystem, several SaaS variants have emerged, from phishing-as-a-service (PhaaS) to access-as-a-service to crypter-as-a-service to ransomware-as-a-service (RaaS). It has never been easier to find an adversary for hire.
This service specialization across the phases of an intrusion has led to a proliferation of partnering, muddying the waters of what was once a relatively consistent collection of tactics across campaigns. As adversaries swap subscribers and pass off payloads, identifying and anticipating the progression of a compromise becomes more challenging. To meet this challenge, we need to distinguish the affiliate activity at each stage of the campaign.
Tracking threats at Red Canary
Tracking affiliates is tricky, and to help explain why we think it’s so important, we want to share some background on our threat tracking journey. At Red Canary, we primarily track threats by documenting their observable behaviors in the form of tactics, techniques and procedures (TTP). When we first set out on this intelligence mission, we began by clustering the most prominent and prevalent threats within our data. We often focused on the primary payload as a means of referring to the threat within a detection—think Qbot, TrickBot, or Cobalt Strike. Often we would see one or more of these threats progressing to another threat, especially in the wild west of active incident response engagements.
Throughout 2021, we realized that referring to activity as an Emotet phishing campaign or a Qbot phishing campaign was confusing. The activity we observed before and after Emotet or Qbot sometimes varied, while other times, we noticed the same patterns in how different malware families gained initial access. This realization helped us determine that patterns within filenames or infrastructure indicated that these characteristics likely belonged to their own initial access cluster—a delivery affiliate—rather than a simple malware payload as we had initially been referring to them. Understanding the relationships between these related threats enables us to better understand and respond to the overall ecosystem of the threat landscape.
Prominent affiliates in 2021
The process of teasing out the distinguishing characteristics that allow us to separate distinct clusters into more granular components is constantly evolving, as are the threats themselves. While we’ve been tracking some affiliates, such as TA551 (named by Proofpoint), for quite some time, others came into focus more recently as our research progressed throughout the course of 2021. Breaking down intrusions into their component parts helps us better keep pace with the nature of the affiliate-based economy adversaries operate in today.
In 2021, we began identifying patterns in multiple phishing affiliates dropping variants of the Bazar family of malware, also referred to as “Baza.” Derived from the use of .bazar
top-level domains for C2 when it was first observed in the wild, this family has lent its name to multiple initial access vectors, campaigns, and components, including BazarLoader, BazarCall, and BazarISO. The multiple components under the umbrella of the Bazar family highlight the importance of differentiating the initial access from the payload. We have seen BazarBackdoor delivered by other prominent phishing affiliates, such as TA551, and have even seen behavior echoing some of the earliest campaigns that delivered BazarBackdoor surface in the latter half of 2021, delivering a resurgent Emotet as its payload.
Incorporating findings from other researchers helped us test hypotheses and add context to our understanding of several other affiliated threats. The prominence of Qbot in our detections and as a ransomware precursor led us to further scrutinize the XLSX phishing lures that delivered it. As a result of this research, we created a distinct profile for the TR delivery affiliate (which we also observed delivering IcedID). Distinguishing these components would not have been possible without other researchers who shared their findings, such as Brad Duncan.
Shifting away from phishing affiliates, we appreciated Morphisec’s great reporting on HCrypt and Snip3 in the first half of the year, the first time crypter-as-a-service crossed our radar. This helped us better break down several other clusters of activity to distinguish the hallmarks of the crypter from the initial phishing campaigns, such as Aggah, or the myriad RAT payloads HCrypt typically delivered.
Take action
Analysts can better track affiliates by focusing on patterns in each phase of an intrusion and comparing similarities and differences to help distinguish when activity has passed from one affiliate to the next. To do this, you can ask questions of the data and compare answers across distinct incidents where you observed overlaps. Here are some example questions to consider:
- Does the email that delivered this payload belong to a phishing affiliate, or is this entire campaign a cohesive cluster?
- What about the attachment or link within the email—is that a commodity maldoc? Is it part of access broker infrastructure, or does it belong to the adversary operating the later-stage payload?
- Is the download cradle and loader the beginning of the next-stage payload, or the last vestige of the delivery affiliate before handing off execution to the delivered payload?
By honing in on the handoff between one affiliate and the next, you gain better insight into the potential pivot points in the progression of an incident, hopefully detecting adversaries closer to the start of an intrusion. Distinguishing phishing affiliates such as TA551 or TR from the IcedID or Qbot payloads they deliver not only helps delineate the handoff between the affiliates, but allows you to dive deeper into delivery patterns to identify differences when the deployed payload changes. Anticipating the next stage of a threat’s progression based on early observables enables defenders and incident responders to implement mitigations before that initial access can progress to lateral movement, data exfiltration, or ransomware.