Why go after individuals when you can get greater rewards by zooming in on more lucrative targets like large multinational corporations (MNCs)?

That’s the premise behind the Cosmic Lynx business email compromise (BEC) campaign that brought several MNCs, many of which were Fortune 500 or Global 2000 companies, to their knees.

This short study takes a look at the indicators of compromise (IoCs) linked to Cosmic Lynx that Agari publicized. It also adds several IoCs that MNCs and practically any organization the world over should look out for at the very least.

What We Know about Cosmic Lynx

Here are some facts about Cosmic Lynx from the Agari research paper:

Cosmic Lynx is the name of the Russian cybercriminal organization behind 200 BEC campaigns targeting large MNCs globally, specifically in 46 countries across six continents, since July 2019.

The cybercriminals mimicked senior-level executives of Fortune 500 or Global 2000 companies to get to employees with access to the targets’ finances. About ¾ of Cosmic Lynx’s targets had titles like vice president, general manager, or managing director.

The campaign used a twofold impersonation scheme. They first pretend to be the CEO of an organization that is preparing to expand their operations to Asia. They ask the target employee to engage with an external legal counsel for the acquisition payments. The Cosmic Lynx actors then hijack the identity of a legitimate U.K.-based law firm lawyer to facilitate the transaction. They use Hong Kong-based mules to receive the stolen funds but also worked with others from Hungary, Portugal, and Romania.

On average, a BEC victim pays out US$55,000. Cosmic Lynx, however, asks each target for hundreds of thousands or even millions of dollars.

Cosmic Lynx mimics secure corporate networks to trick their targets. The artifacts linked to their campaigns include 65 domains and 61 IP addresses.

Additional Intel Every MNC Needs to Know

Apart from the artifacts Agari publicized, MNCs who wish to ensure utmost protection from Cosmic Lynx may also be wary of a few of the additional domains and IP addresses in Table 1 obtained from WhoisXML API threat intelligence sources, specifically DNS Lookup API and Reverse IP/DNS API. Note that these IoCs were confirmed malicious by VirusTotal. They may, however, not be directly related to the Cosmic Lynx campaign but use the same infrastructure.

Of the 61 IP addresses collated and published by Agari, 37 were categorized as “malicious” on VirusTotal. The IP address 45[.]90[.]58[.]30 proved most dangerous as it hosted two other malicious domains (i.e., frzamserngsirerive[.]com and naffltsirerive[.]com) based on Reverse IP/DNS API results.

Out of the 65 domains, meanwhile, 64 were dubbed “malicious” on VirusTotal. Five of these (i.e., mail-transport-protection[.]cc [2 IP addresses], secure-email-provider[.]com [4 IP addresses], secure-mail-net[.]com [1 IP address], secure-mail-provider[.]com [4 IP addresses], and secure-ssl-sec[.]com [4 IP addresses]) proved especially dangerous as they were connected to 1—4 malicious IP addresses.

All in all, we obtained an additional two domains and seven IP addresses that were not included in Agari’s list.

BEC attacks have been soaring to ever greater heights in terms of prominence. In 2019, the Internet Crime Complaint Center (IC3) received thousands of complaints from many companies across 20+ U.S. states. As such, the fact that more sophisticated threat groups like Cosmic Lynx are adding BEC campaigns to their arsenals should concern everyone. Protecting against BEC scams and other cyber attacks require not just keeping track of publicized IoCs but also scrutinizing said indicators using domain and IP intelligence tools to comb through all possible threat vectors.