External Threat Management Labs

DarkSide is Standing Down, But Its Affiliates Live On

DarkSide, the group behind the infamous ransomware used in the attack against Colonial Pipeline that caused a national panic and sent gas prices soaring, stated on May 13 that they were immediately ceasing operations.

DarkSide operators promised to issue decryptors for all ransomware targets and compensate for outstanding financial obligations by May 23. While news of the group's capitulation is welcomed, the danger associated with the threat actors that use its ransomware has not necessarily been neutralized. 

DarkSide operates as a ransomware-as-a-service (RaaS), and its developers receive a share of the proceeds from its deployment by other malicious cyber actors known as affiliates. On May 11, 2021, FireEye released a Threat Intelligence report on the Tactics, Techniques, and Procedures (TTPs) used by three different DarkSide affiliates they identify as UNC2465, UNC2628, and UNC2659. 

The IOCs associated with these TTPs were researched across the RiskIQ Illuminate platform, resulting in several previously unreported IOCs for two of the three affiliates. Our researchers discovered that some of the infrastructure related to UNC2465 that the group used to deploy malware other than DarkSide ransomware is still active and could pose a threat. 

DarkSide Affiliate Infrastructure Identified by RiskIQ

UNC2465

According to FireEye, this affiliate used phishing emails and legitimate services to deliver a PowerShell-based .NET backdoor they call SMOKEDHAM. An LNK file reported by FireEye and another by RiskIQ found via our Internet Intelligence Graph, both linked to the same two URLs which subsequently executed a PowerShell script, linked to two URLs. FireEye reported on one of these, but not the other, a Shopify link. Usage of the Shopify platform by DarkSide affiliates has not been reported on in open source.

Shopify is an e-commerce platform for online stores and retail point-of-sale systems and reportedly abused by cyber actors in dozens of campaigns. The Shopify link surfaced by RiskIQ referenced another URL contained within some VBScript of the page, which FireEye reported the affiliate used as an EMPIRE C2. RiskIQ revealed a redirection in this page to a second Shopify link, which linked to a third. 

A review of the file hosted on this third Shopify host contained PowerShell code—likely the SMOKEDHAM.NET backdoor reported by FireEye. Our analysis of this code indicated the capability to conduct keylogging, take screenshots and execute arbitrary .NET commands, all consistent with FireEye's description of SMOKEDHAM. 

Ultimately, the data collected by UNC2465 is sent to a server using the victim's current platform identifier and version number as the User-Agent. This host abuses Microsoft Azure cloud hosting. 

While the hosts we identified are no longer active, as of May 17, the malicious files are still up, as well as the C2. 

You can see all the IOCs, including additional indicators we identified based on the reporting from FireEye, including addresses used to register infrastructure and several domains in our Threat Intelligence Portal here

UNC2628

As reported by FireEye, group UNC2628 has partnered with other RaaS providers such as Sodinokibi (aka REvil) and Netwalker. Reviewing the BEACON C2s provided by FireEye, RiskIQ identified a malware sample associated with lagrom[.]com. Based on the VirusTotal detections, this sample was likely Sodinokibi ransomware delivered using Cobalt Strike. 

PassiveTotal data also revealed a subdomain of another BEACON C2, along with a malicious file. According to Hybrid Analysis, the file appears to behave as Spyware, collecting information about the victim host, and RiskIQ analysis shows it communicates with known UNC2628 infrastructure. 

You can see the full list of these IOCs in our Threat Intelligence Portal here.

Defend Against DarkSide Affiliates

Even though DarkSide RaaS has currently ceased operations, some of the supporting infrastructure is still active and can serve malware—although, for most cases, the known precursors to those live sites are not currently active. RiskIQ will continue to monitor and fingerprint this activity to identify similar infrastructure. For now, consider these affiliate threat groups still at large and potentially dangerous.

Visit our Threat Intelligence Portal for our complete analysis of DarkSide affiliate infrastructure, and try RiskIQ's Illuminate® Internet Intelligence Platform to understand how next-gen security intelligence can defend your organization's unique attack surface from Ransomware threats.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor