Ransomware Command-and-Control Providers Unmasked by Halcyon Researchers
2023-08-01 • Halcyon •
Attachments
Halcyon identified Cloudzy as a command-and-control provider whose RDP VPS services appear to support ransomware operators and multiple state-sponsored APT groups. The DPRK-relevant evidence is limited to Halcyon’s assessment that threat actors tied to North Korea, alongside groups linked to several other governments, have leveraged Cloudzy infrastructure. The report’s main hunting method pivots on RDP hostnames in attacker infrastructure metadata, which Halcyon says can reveal attack infrastructure before ransomware operations launch. Halcyon also assessed that Cloudzy accepts cryptocurrency for anonymous RDP VPS access and that 40% to 60% of observed activity using the provider may be malicious. Defenders are advised to search for the listed hostnames and IOCs to identify possible abuse of this provider in their environments.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | b27ca5155e42e372d37cf2bcbb1f159… | 2023-08-01 | 2023-08-01 |
| HASH | 4d56e0a878b8a0f04462e7aa2a47d69… | 2023-08-01 | 2023-08-01 |
| DOMAIN | mojimetigi.biz | 2023-08-01 | 2023-08-01 |
| IPv4 | 64.44.134.32 | 2023-08-01 | 2023-08-01 |
| IPv4 | 172.93.179.24 | 2023-08-01 | 2023-08-01 |
| IPv4 | 172.93.179.232 | 2023-08-01 | 2023-08-01 |
| IPv4 | 172.93.179.152 | 2023-08-01 | 2023-08-01 |
| IPv4 | 172.93.205.144 | 2023-08-01 | 2023-08-01 |
| IPv4 | 172.93.179.192 | 2023-08-01 | 2023-08-01 |
| IPv4 | 172.93.179.224 | 2023-08-01 | 2023-08-01 |
| IPv4 | 172.93.179.96 | 2023-08-01 | 2023-08-01 |
| IPv4 | 64.44.51.168 | 2023-08-01 | 2023-08-01 |
| IPv4 | 139.177.146.152 | 2023-08-01 | 2023-08-01 |
| IPv4 | 172.93.204.120 | 2023-08-01 | 2023-08-01 |
| IPv4 | 172.93.179.248 | 2023-08-01 | 2023-08-01 |
| IPv4 | 167.88.4.8 | 2023-08-01 | 2023-08-01 |
| IPv4 | 167.88.4.16 | 2023-08-01 | 2023-08-01 |
| IPv4 | 64.44.134.24 | 2023-08-01 | 2023-08-01 |
| IPv4 | 172.93.201.120 | 2023-08-01 | 2023-08-01 |
| IPv4 | 172.93.179.32 | 2023-08-01 | 2023-08-01 |
| IPv4 | 167.88.4.24 | 2023-08-01 | 2023-08-01 |
| IPv4 | 172.93.179.144 | 2023-08-01 | 2023-08-01 |
| IPv4 | 172.93.205.128 | 2023-08-01 | 2023-08-01 |
| IPv4 | 172.93.179.40 | 2023-08-01 | 2023-08-01 |
| IPv4 | 172.93.179.160 | 2023-08-01 | 2023-08-01 |
| IPv4 | 64.44.134.40 | 2023-08-01 | 2023-08-01 |
| IPv4 | 172.93.179.184 | 2023-08-01 | 2023-08-01 |
| IPv4 | 172.93.179.128 | 2023-08-01 | 2023-08-01 |
| IPv4 | 23.19.58.181 | 2023-08-01 | 2023-08-01 |
| IPv4 | 104.237.219.32 | 2023-08-01 | 2023-08-01 |
| IPv4 | 172.93.179.72 | 2023-08-01 | 2023-08-01 |
| IPv4 | 64.44.140.232 | 2023-08-01 | 2023-08-01 |
| IPv4 | 64.44.134.48 | 2023-08-01 | 2023-08-01 |
| IPv4 | 64.44.134.56 | 2023-08-01 | 2023-08-01 |
| IPv4 | 104.237.193.56 | 2023-08-01 | 2023-08-01 |
| IPv4 | 104.237.194.152 | 2023-08-01 | 2023-08-01 |
| IPv4 | 172.93.179.104 | 2023-08-01 | 2023-08-01 |
| IPv4 | 167.88.4.112 | 2023-08-01 | 2023-08-01 |
| IPv4 | 104.237.193.40 | 2023-08-01 | 2023-08-01 |
| IPv4 | 172.93.179.208 | 2023-08-01 | 2023-08-01 |
| IPv4 | 172.93.179.120 | 2023-08-01 | 2023-08-01 |
| IPv4 | 172.93.179.112 | 2023-08-01 | 2023-08-01 |
| IPv4 | 172.93.179.8 | 2023-08-01 | 2023-08-01 |
| IPv4 | 104.237.219.40 | 2023-08-01 | 2023-08-01 |
| IPv4 | 172.93.179.200 | 2023-08-01 | 2023-08-01 |
| IPv4 | 172.93.179.176 | 2023-08-01 | 2023-08-01 |
| IPv4 | 172.93.179.240 | 2023-08-01 | 2023-08-01 |
| IPv4 | 64.44.134.16 | 2023-08-01 | 2023-08-01 |
| IPv4 | 172.93.205.136 | 2023-08-01 | 2023-08-01 |