.png)
Block The Assault Before It Ever Happens
Cybersecurity organizations are fighting a constant battle against threats across an evolving cyber landscape while being understaffed and facing constrained budgets. This generally results in a reactive cybersecurity environment, especially for the more resource-strained entities, wherein the adversary always has the initiative. Traditional cybersecurity threat intelligence solutions require significant funding, or in-house skills, or both.
IronRadar was developed as a cost-effective, proactive threat feed.
For many cybersecurity teams, access to high-quality threat feeds may not be feasible, given their costs. IronNet developed IronRadar with this problem in mind, providing organizations with a cost-effective Proactive Threat Intelligence solution focused on detecting adversary Command and Control (C2) infrastructure as it comes online. It informs cybersecurity teams and tools about the source of an imminent attack, enabling them to block the assault before it ever happens. By integrating directly with security appliances, IronRadar allows any cybersecurity team, regardless of skill level, to punch above their weight class and stop attackers that nobody else could. Proactive Threat Intelligence is a game-changing approach that provides early warning and protection against both known and unknown threats.
IronRadar provides this service by identifying command and control infrastructure as it is being established. This process is done through long-tail analysis of malware C2, attribution clustering, and Collective Defense correlations to flesh out threat actor infrastructure even before it is fully operational. Proactive Threat Intelligence becomes more valuable as threat actors continue to change infrastructure and procedures to evade detections. While humans can be tricked and cybersecurity tools can be evaded, remote connections are required for issuing commands, extorting data, or general interaction with virtually any compromised environment. This is where IronRadar’s C2 data helps inform cybersecurity tools (Endpoint Detection and Response (EDRs), Firewalls, SIEMs, etc.) to detect the network communications between infected hosts and C2 infrastructure. Through a combination of Collective Defense Intelligence, IronRadar data, and open-source tools, IronNet’s Threat Research team is able to monitor and track C2 behaviors to keep pace with the ever-evolving threat landscape.
IronRadar Has You Covered
IronRadar is:
» Cost-effective
» Proactive
» Highly focused at uncovering and detecting emerging Command and Control (C2)
» TEasy to integrate with existing cybersecurity tools
IronRadar provides:
» An "Early-Warning System" for C2
» Detection and monitoring of over 65 C2 frameworks
» Monitoring and detection of emerging threat landscape
» Threat Intelligence as a Service options
IronRadar: Threat Intelligence as a Service
In addition to our Basic IronRadar Threat Feed, two new service offerings are being added: IronRadar Advanced and IronRadar Elite. These will enable customers to leverage the threat intelligence capabilities and resources of IronNet to enhance and augment their SOC when they need help the most. With IronRadar Advanced, customers will be given access to a new customer portal to submit Threat Intelligence RFIs. For IronRadar Elite, customers will be given priority response times and escalation capabilities while also having the ability to request detailed Threat Reports based on whatever threats are of concern. Both options will additionally provide a touchpoint between IronRadar customers and the Collective Defense Community by enabling indicator query requests, which will be searched and correlated across the Dome (IronNet’s anonymized Threat Intelligence and Sharing platform).
IronRadar Development
IronRadar stays relevant through the development and enhancements made by IronNet Threat Research. While searching and creating detections for new threats is critical, maintaining existing ones is as important. Adversaries will continuously evolve to evade detections and remain relevant, making routine reviews of existing frameworks mandatory. Should a change to a C2 framework or malware type be observed, a process of research and analysis begins. This encompasses a fresh look at the activity to proactively identify and hunt for the new communication methods. This month, IronNet Threat Research took a look at changes to Amadey C2.
C2 Spotlight - Amadey
In early 2024, IronNet Threat Research noticed a substantial decrease in IronRadar detections of Amadey C2. Through a combination of Collective Defense Intelligence, IronRadar data, and open source tools, malicious infrastructure hosting various malware types and C2 login panels were discovered. The following is a minimized sample of Threat Research data and reporting; IronRadar customers gain access to the full report and IoCs with their annual subscription.
IronRadar detected and alerted Threat Research to an Amadey C2 panel on 93.123.39[.]96. This IP was found to be hosting additional Amadey C2 panels, as well as Amadey payloads across multiple domains. Further analysis led to the identification of a unique Subject Common Name in the TLS certificate ‘cryptohopperai[.]org’, which was shared among 7 IP addresses assigned to Silent Connection Ltd. It should be noted that a legitimate website (cryptohopper[.]com) was identified and is related to a crypto trading bot, but no link beyond the name similarity was found.
In total, 6 additional IPs (93.123.39[.]91 - 93.123.39[.]97) were identified and found to be hosting phishing pages and unspecified trojans. In addition, an anomalous login page on the domain ‘fastpr[.]vip/login’ was found where a ‘License Key’ was required for access. While we were unable to verify what was behind this login page, it is likely malicious software is hosted on this page.
The discovery of this cluster led researchers to two additional ASN’s that hosted a variety of malware and C2 panels, including Amadey, Smokeloader, Redline stealer and more. 7 new IronRadar detections across 6 malware types, in addition to 27 indicators being added to IronNet’s Collective Defense community, were the result of this research.
Connections of cluster 1 through Subject CN cryptohopperai[.]org to all IPs and domains which are hosting malware and phishing pages.
_________
INTERESTED IN LEARNING MORE ABOUT OUR NEW IRONRADAR SERVICE TIERS?
Contact us at threatintel@ironnetcybersecurity.com for further information or to schedule a demo.
