Post by Admin on May 10, 2021 22:57:39 GMT
About Darkside, inc.
The Darkside ransomware group announced their RaaS (Ransomware-as-a-Service) in August of 2020 via a “press release.” Since then, they have become known for their professional operations and large ransoms. They provide web chat support to victims, build intricate data leak storage systems with redundancy, and perform financial analysis of victims prior to attacking.
The group’s name, Darkside, evokes the image of a good guy (or gal) that has turned from the light. While we can’t conclude that the group is comprised of former IT security professionals, their attacks reveal a deep knowledge of their victims’ infrastructure, security technologies, and weaknesses.
They have publicly stated that they prefer not to attack hospitals, schools, non-profits, and governments, but rather big organizations that can afford to pay large ransoms.
Our reverse engineering revealed that Darkside’s malware will check device language settings to ensure they don’t attack Russia-based organizations. They have also answered questions on Q&A forums in Russian and are actively recruiting Russian-speaking partners.
The group has both Windows and Linux toolsets. Much like NetWalker and REvil, Darkside has an affiliate program that offers anyone who helps spread their malware 10-25% of the payout.
Anatomy of an Attack
The Darkside ransomware attack campaigns stood out for their use of stealthy techniques, especially in the early stages. The group performed careful reconnaissance and took steps to ensure that their attack tools and techniques would evade detection on monitored devices and endpoints.
While their initial entry vectors vary, their techniques are more standardized once inside, and their endgame is coldly efficient.
Stealth tactics include:
Command and control over TOR
Avoiding nodes where EDR is running
Waiting periods & saving noisier actions for later stages
Customized code and connection hosts for each victim
Obfuscation techniques like encoding and dynamic library loading
Anti-forensics techniques like deleting log files
During the later stages of their attack sequence, they:
Harvest credentials stored in files, in memory, and on domain controllers
Utilize file shares to distribute attack tools and store file archives
Relax permissions on file shares for easy harvesting
Delete backups, including shadow copies
Deploy customized ransomware
Initial Access: Finding the Weak Link
Darkside ransomware gained initial entry through weak links – remotely exploitable accounts and systems.
We observed Darkside use compromised contractor accounts to access Virtual Desktop Infrastructure (VDI) that had been put in place to facilitate remote access during the pandemic. Though, contractor accounts did not.
We also observed them exploit servers, and then quickly deploy an additional RDP that would preserve access should the vulnerable server be patched.
While neither of these vectors is novel, they should serve as a warning that sophisticated threat actors are easily bypassing perimeter defenses. They illustrate the need for multi-factor authentication on all internet-facing accounts and rapid patching of internet-facing systems.
The Darkside ransomware attackers established command and control primarily with an RDP client running over port 443, routed through TOR. After installing a Tor browser, they modified its configuration to run as a persistent service, redirecting traffic sent to a local (dynamic) port through TOR via HTTPS over port 443, so it would be indistinguishable from normal web traffic. These connections were persistent, so the attackers could establish RDP sessions to and through the compromised hosts, facilitating lateral movement.
We found traces of TOR clients across many servers and observed dozens of active TOR connections.
The attackers used Cobalt Strike as a secondary command and control mechanism. We observed dozens of customized stagers that downloaded customized beacons that connected to specific servers. The stagers (named file.exe) were deployed remotely on specific targeted devices using WinRM, each one configured differently. Cobalt-Strike stagers established connections to a dedicated C2 server to download the Cobalt Strike Beacon.
Threat actors commonly use only a few C2 servers per victim, but Darkside configured each beacon to connect to a different C2 server with a different user agent. This would indicate that Darkside operates a large, well-established attack infrastructure.
The stagers and TOR executables were stored in network shares for easy distribution. The actors avoided installing backdoors on systems monitored by EDR solutions.
Recon and Credential Harvesting
Darkside ransomware is known for living off the land (LOtL), but we observed them to scan networks, run commands, dump processes, and steal credentials. Like the command and control code, the attack tools were also executed on hosts that had minimal detection and blocking capabilities. Well-known tools included advanced_ip_scanner.exe, psexec, Mimikatz, and more.
From the initial set of compromised hosts, ticket requests, and NTLM connections to gain access to additional systems and accounts. After a waiting period, the actor used an Active Directory reconnaissance tool (ADRecon.ps1) to gather additional information about users, groups, and privilege, storing results in a file called, DC.txt. Each of their attack tools was deleted after use. The attacker temporarily stored the recon results and credential information on a very active windows server. Interesting file names written and deleted on the server included: Typed_history.zip, Appdata.zip, IE_Passwords.zip, AD_intel, and ProcessExplorer.zip.
In addition to credential harvesting, the attacker mined credentials from User profile folders, including:
Users\<user name>\Appdata\[Roaming\Local]\Microsoft [Credentials\Vault]
Users\<user name>\Appdata\Roaming\Mozilla\Firefox\Profiles
Users\<user name>\\Appdata\Local\Google\Chrome
The threat actor used Invoke-mimikatXz.ps1 to extract credentials from unmonitored servers and stored them in a file called “dump.txt.” This operation was performed on a high-value target with minimal detective capabilities.
Encryption
Darkside doesn’t deploy ransomware until they’ve mapped the environment, exfiltrated interesting data, gained control of privileged accounts, and identified all backup systems, servers, and applications. We observed several connections to primary backup repositories using compromised services accounts shortly before encryption. By holding off on the encryption phase of the attack, they put themselves in a position to maximize damage and profit.
The ransomware code is delivered through established backdoors (TOR-RDP or Cobalt Strike) and is customized for each victim. The payload includes the executable, a unique extension, and a unique victim ID that allows the victim to access Darkside’s website and make payment.
By using unique executables and extensions, the ransomware easily evades signature-based detection mechanisms. Darkside also provides customized ransomware to other threat actors (Ransomware as a Service) and takes a part of the profit in successful attacks.
One version of the customized code was named, “Homie.exe.” In addition to being customized, we found it also uses anti-forensics and anti-debugging techniques, such as self-injection, virtual machine detection, and dynamic library loading. It also deletes shadow copies on victim devices.
The Darkside ransomware group announced their RaaS (Ransomware-as-a-Service) in August of 2020 via a “press release.” Since then, they have become known for their professional operations and large ransoms. They provide web chat support to victims, build intricate data leak storage systems with redundancy, and perform financial analysis of victims prior to attacking.
The group’s name, Darkside, evokes the image of a good guy (or gal) that has turned from the light. While we can’t conclude that the group is comprised of former IT security professionals, their attacks reveal a deep knowledge of their victims’ infrastructure, security technologies, and weaknesses.
They have publicly stated that they prefer not to attack hospitals, schools, non-profits, and governments, but rather big organizations that can afford to pay large ransoms.
Our reverse engineering revealed that Darkside’s malware will check device language settings to ensure they don’t attack Russia-based organizations. They have also answered questions on Q&A forums in Russian and are actively recruiting Russian-speaking partners.
The group has both Windows and Linux toolsets. Much like NetWalker and REvil, Darkside has an affiliate program that offers anyone who helps spread their malware 10-25% of the payout.
Anatomy of an Attack
The Darkside ransomware attack campaigns stood out for their use of stealthy techniques, especially in the early stages. The group performed careful reconnaissance and took steps to ensure that their attack tools and techniques would evade detection on monitored devices and endpoints.
While their initial entry vectors vary, their techniques are more standardized once inside, and their endgame is coldly efficient.
Stealth tactics include:
Command and control over TOR
Avoiding nodes where EDR is running
Waiting periods & saving noisier actions for later stages
Customized code and connection hosts for each victim
Obfuscation techniques like encoding and dynamic library loading
Anti-forensics techniques like deleting log files
During the later stages of their attack sequence, they:
Harvest credentials stored in files, in memory, and on domain controllers
Utilize file shares to distribute attack tools and store file archives
Relax permissions on file shares for easy harvesting
Delete backups, including shadow copies
Deploy customized ransomware
Initial Access: Finding the Weak Link
Darkside ransomware gained initial entry through weak links – remotely exploitable accounts and systems.
We observed Darkside use compromised contractor accounts to access Virtual Desktop Infrastructure (VDI) that had been put in place to facilitate remote access during the pandemic. Though, contractor accounts did not.
We also observed them exploit servers, and then quickly deploy an additional RDP that would preserve access should the vulnerable server be patched.
While neither of these vectors is novel, they should serve as a warning that sophisticated threat actors are easily bypassing perimeter defenses. They illustrate the need for multi-factor authentication on all internet-facing accounts and rapid patching of internet-facing systems.
The Darkside ransomware attackers established command and control primarily with an RDP client running over port 443, routed through TOR. After installing a Tor browser, they modified its configuration to run as a persistent service, redirecting traffic sent to a local (dynamic) port through TOR via HTTPS over port 443, so it would be indistinguishable from normal web traffic. These connections were persistent, so the attackers could establish RDP sessions to and through the compromised hosts, facilitating lateral movement.
We found traces of TOR clients across many servers and observed dozens of active TOR connections.
The attackers used Cobalt Strike as a secondary command and control mechanism. We observed dozens of customized stagers that downloaded customized beacons that connected to specific servers. The stagers (named file.exe) were deployed remotely on specific targeted devices using WinRM, each one configured differently. Cobalt-Strike stagers established connections to a dedicated C2 server to download the Cobalt Strike Beacon.
Threat actors commonly use only a few C2 servers per victim, but Darkside configured each beacon to connect to a different C2 server with a different user agent. This would indicate that Darkside operates a large, well-established attack infrastructure.
The stagers and TOR executables were stored in network shares for easy distribution. The actors avoided installing backdoors on systems monitored by EDR solutions.
Recon and Credential Harvesting
Darkside ransomware is known for living off the land (LOtL), but we observed them to scan networks, run commands, dump processes, and steal credentials. Like the command and control code, the attack tools were also executed on hosts that had minimal detection and blocking capabilities. Well-known tools included advanced_ip_scanner.exe, psexec, Mimikatz, and more.
From the initial set of compromised hosts, ticket requests, and NTLM connections to gain access to additional systems and accounts. After a waiting period, the actor used an Active Directory reconnaissance tool (ADRecon.ps1) to gather additional information about users, groups, and privilege, storing results in a file called, DC.txt. Each of their attack tools was deleted after use. The attacker temporarily stored the recon results and credential information on a very active windows server. Interesting file names written and deleted on the server included: Typed_history.zip, Appdata.zip, IE_Passwords.zip, AD_intel, and ProcessExplorer.zip.
In addition to credential harvesting, the attacker mined credentials from User profile folders, including:
Users\<user name>\Appdata\[Roaming\Local]\Microsoft [Credentials\Vault]
Users\<user name>\Appdata\Roaming\Mozilla\Firefox\Profiles
Users\<user name>\\Appdata\Local\Google\Chrome
The threat actor used Invoke-mimikatXz.ps1 to extract credentials from unmonitored servers and stored them in a file called “dump.txt.” This operation was performed on a high-value target with minimal detective capabilities.
Encryption
Darkside doesn’t deploy ransomware until they’ve mapped the environment, exfiltrated interesting data, gained control of privileged accounts, and identified all backup systems, servers, and applications. We observed several connections to primary backup repositories using compromised services accounts shortly before encryption. By holding off on the encryption phase of the attack, they put themselves in a position to maximize damage and profit.
The ransomware code is delivered through established backdoors (TOR-RDP or Cobalt Strike) and is customized for each victim. The payload includes the executable, a unique extension, and a unique victim ID that allows the victim to access Darkside’s website and make payment.
By using unique executables and extensions, the ransomware easily evades signature-based detection mechanisms. Darkside also provides customized ransomware to other threat actors (Ransomware as a Service) and takes a part of the profit in successful attacks.
One version of the customized code was named, “Homie.exe.” In addition to being customized, we found it also uses anti-forensics and anti-debugging techniques, such as self-injection, virtual machine detection, and dynamic library loading. It also deletes shadow copies on victim devices.