The term “affiliate” has been increasingly used to describe the cybercrime ecosystem’s evolution into a software-as-a-service (SaaS) economy. Borrowed from the subscription-based software specialization strategy, an “affiliate” refers to the provider-customer relationship of malicious services. In the cybercrime ecosystem, several SaaS variants have emerged, from phishing-as-a-service (PhaaS) to access-as-a-service to crypter-as-a-service to ransomware-as-a-service (RaaS). It has never been easier to find an adversary for hire.
This service specialization across the phases of an intrusion has led to a proliferation of partnering, muddying the waters of what was once a relatively consistent collection of tactics across campaigns. As adversaries swap subscribers and pass off payloads, identifying and anticipating the progression of a compromise becomes more challenging. To meet this challenge, we need to distinguish the affiliate activity at each stage of the campaign.
Tracking threats at Red Canary
Tracking affiliates is tricky, and to help explain why we think it’s so important, we want to share some background on our threat tracking journey. At Red Canary, we primarily track threats by documenting their observable behaviors in the form of tactics, techniques and procedures (TTP). When we first set out on this intelligence mission, we began by clustering the most prominent and prevalent threats within our data. We often focused on the primary payload as a means of referring to the threat within a detection—think Qbot, TrickBot, or Cobalt Strike. Often we would see one or more of these threats progressing to another threat, especially in the wild west of active incident response engagements.
Throughout 2021, we realized that referring to activity as an Emotet phishing campaign or a Qbot phishing campaign was confusing. The activity we observed before and after Emotet or Qbot sometimes varied, while other times, we noticed the same patterns in how different malware families gained initial access. This realization helped us determine that patterns within filenames or infrastructure indicated that these characteristics likely belonged to their own initial access cluster—a delivery affiliate—rather than a simple malware payload as we had initially been referring to them. Understanding the relationships between these related threats enables us to better understand and respond to the overall ecosystem of the threat landscape.
Prominent affiliates in 2021
The process of teasing out the distinguishing characteristics that allow us to separate distinct clusters into more granular components is constantly evolving, as are the threats themselves. While we’ve been tracking some affiliates, such as TA551 (named by Proofpoint), for quite some time, others came into focus more recently as our research progressed throughout the course of 2021. Breaking down intrusions into their component parts helps us better keep pace with the nature of the affiliate-based economy adversaries operate in today.
In 2021, we began identifying patterns in multiple phishing affiliates dropping variants of the Bazar family of malware, also referred to as “Baza.” Derived from the use of
.bazar top-level domains for C2 when it was first observed in the wild, this family has lent its name to multiple initial access vectors, campaigns, and components, including BazarLoader, BazarCall, and BazarISO. The multiple components under the umbrella of the Bazar family highlight the importance of differentiating the initial access from the payload. We have seen BazarBackdoor delivered by other prominent phishing affiliates, such as TA551, and have even seen behavior echoing some of the earliest campaigns that delivered BazarBackdoor surface in the latter half of 2021, delivering a resurgent Emotet as its payload.
Incorporating findings from other researchers helped us test hypotheses and add context to our understanding of several other affiliated threats. The prominence of Qbot in our detections and as a ransomware precursor led us to further scrutinize the XLSX phishing lures that delivered it. As a result of this research, we created a distinct profile for the TR delivery affiliate (which we also observed delivering IcedID). Distinguishing these components would not have been possible without other researchers who shared their findings, such as Brad Duncan.
Shifting away from phishing affiliates, we appreciated Morphisec’s great reporting on HCrypt and Snip3 in the first half of the year, the first time crypter-as-a-service crossed our radar. This helped us better break down several other clusters of activity to distinguish the hallmarks of the crypter from the initial phishing campaigns, such as Aggah, or the myriad RAT payloads HCrypt typically delivered.