Domain found in multiple financial and energy sectors environments

PoloBear: Malicious C2 server targeting vulnerable CMS

Domain found in multiple financial and energy sectors environments

On October 24, 2020, the IronNet behavioral analytic DOMAIN_ANALYSIS_TLS alerted on the domain polobear[.]shop across multiple financial and energy customer IronDome environments. This was easily identified by using IronNet’s Collective Defense products (IronDefense and IronDome), which allow for easy querying of geographically dispersed events. With this information, IronNet’s cyber operations center, the CYOC, acted to ensure how and to what extent these other customers were impacted.

The CYOC investigated the domain in question and identified several tell-tale signs of a type of command and control (C2) system that was actively registering geographically identified IP addresses. Based on files hosted within the C2 domain, our further analysis revealed varied techniques of javascript and fictitious CSS file injection targeting vulnerable WordPress sites to compromise endpoints for potential PII harvesting. 

An informational cyber threat alert to protect corporate infrastructures 

Note that IronNet is publishing this informational bulletin because we have ensured that customer equities have been safeguarded; however, the domain in question is still active and a threat to corporate infrastructures. IronNet believes that this domain should be blocked and, if seen on your network, the traffic and hosts should be investigated.

Learn more about how IronNet's CyOC multiplies SOC capabilities.

About Ironnet
Founded in 2014 by GEN (Ret.) Keith Alexander, IronNet Cybersecurity is a global cybersecurity leader that is revolutionizing how organizations secure their networks by delivering the first-ever Collective Defense platform operating at scale. Employing an extraordinarily high percentage of former NSA cybersecurity operators with offensive and defensive cyber experience, IronNet integrates deep tradecraft knowledge into its industry-leading products to solve the most challenging cyber problems facing the world today. Follow IronNet on Twitter and LinkedIn.