Last month, the FBI issued a warning about a ransomware group dubbed "OnePercent" targeting U.S. companies. The threat actors utilized malicious macros in phishing email attachments to infect victims with the ICEDID banking trojan, which in turn downloaded Cobalt Strike. OnePercent were able to spread through the network with Cobalt Strike's lateral movement capabilities (mostly using PowerShell remoting), after which it encrypted and exfiltrated data from the victim's network. Then comes the ransom part - the actors contacted their victims via email or phone and threatened to release their data on the TOR network if they don't pay up.

Our security research team has been monitoring the ransomware group's infrastructure activity, and have noticed that the domains used for their campaign have migrated to a new IP not mentioned in the earlier FBI report - 34.231.28[.]159. This Amazon IP is no newcomer to the malware scene. Virustotal shows a ton of badness hosted on there, including DGA-like domain patterns, rotating over time (examples of which can be seen in the picture below). More IOC info, including malicious domain resolves from the IP over the last 14 days, can be found at the end of this post.

onepercent-1Image: VirusTotal

But that's not all - our team has seen ongoing communication attempts from six of the domains in the FBI report on OnePercent. The following domains have tried to connect to our customer networks almost a million times over the last week (935K to be exact), only to be blocked by ThreatSTOP - nix1[.]xyz, golddisco[.]top, delokijio[.]pw, june85[.]cyou, intensemisha[.]cyou, biggarderoub[.]cyou.

checkioc_golddiscotopImage: ThreatSTOP Check IOC

If anyone had doubts about OnePercent continuing their activity after being outed and shamed by the FBI - we advise thinking again. Even after big-name security companies, or even law enforcement, publicly post indicators of compromise, infection vectors, and technical details on malware attacks, the operations often don't shut down, and many internet users stay completely vulnerable to them. ThreatSTOP protection combines threat intelligence about new attacks like this one, with research on bad areas of the internet you should block even before they've been publicly outed for hosting a specific attack. Or in other words - we stop threats before you read about it.

ThreatSTOP recommends blocking communication to and from the IOCs related to this campaign.

OnePercent Ransomware Group IOCs:


nix1[.]xyz biggarderoub[.]cyou 167.71.224[.]39
golddisco[.]top d30qpb9e10re4o.cloudfront[.]net 80.82.67[.]221
delokijio[.]pw 157.245.239[.]187 138.197.179[.]153
june85[.]cyou 31.187.64[.]199 134.209.203[.]30
intensemisha[.]cyou 206.189.227[.]145 34.231.28[.]159


Past 14-day domain resolves from 34.231.28[.]159, flagged as malicious by VirusTotal: 


10feeds[.]com danylmassey574[.]xyz wpdsfds23x[.]com
2kiljiondo[.]cyou applockkeep[.]xyz www.wpdsfds23x[.]com
kasprsky[.]info data.applockkeep[.]xyz www.w7dslkipoja[.]com
8hh3aktk2.kasprsky[.]info mxi.applockmaster[.]xyz dtc.and.ciaociaoline[.]com
cigy2jft92.kasprsky[.]info poslity[.]com eri.and.ciaociaoline[.]com
appsprovider[.]com testdomain0x00[.]xyz ffq.and.ciaociaoline[.]com
www.denazao[.]info wa1a1[.]com hkn.and.ciaociaoline[.]com
bulktrumpbun[.]top www.wa1a1[.]com hni.and.ciaociaoline[.]com
ins34devicci[.]top webtinchap[.]com hrn.and.ciaociaoline[.]com



Get an expert-led overview of ThreatSTOP or start a free trial today:

Get a Demo