Affiliates vs Hunters: Fighting the “DarkSide”

This content was originally written by me for SOC Prime, Inc. You can view the original article with detection rules here or read on for a local version.

Introduction

On August 2020 a new type of malware, belonging to the Ransomware category, appeared in the cyber threat landscape. Threat actor responsible for its development called it “DarkSide” and , like others piece of malware of this type, is operated in Big Game Hunting (BGH) campaigns. Around more or less the same time, a DLS (Dedicated Leak Site) was made available on the darkweb (behind the TOR network) in order to report the first victims.

On their DLS, DarkSide operators claimed to be experienced in conducting cyber operations, having previously used other , not better identified, ransomware variants. Indeed, some characteristics of their operations support the hypothesis that the group could be a former affiliate of some other R-a-a-S (Ransomware as a Service) program that chosen to write their own ransomware likely to avoid sharing the profits of criminal activities with third parties.

Insights

DarkSide is a well-written malware family not much changed if compared to the first versions analyzed. Usually the samples belonging to this family present, as already reported in other technical tearticles, some functionalities aimed at making the analysis more harder. Indeed, in a recent sample (sha256:17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61), at 0040182A we find a sub aimed at dynamically resolving DLLs and API through LoadLibrary / GetProcAddress. sub_4016D5, sub_4013DA and sub_401AC3 are also involved in this process. The following screenshot shows a chunk of code extracted from the whole function designed for this purpose:

This can be an useful place to create a code-chunck based Yara rule aimed at hunting further variants of the same malware family. After having selected two representative chuncks we can obtain something similar to the following:

rule DarkSide_Ransomware_827333_39928 : CRIMEWARE {
meta:
author = “Emanuele De Lucia”
description = “Detects possible variants of DarkSide ransomware”
hash1 = “17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61”
/*
call 0x4016d5
push esi
call 0x408195
mov ebx, eax
push dword ptr [esi – 4]
push esi
call 0x4013da
mov eax, dword ptr [esi – 4]
lea esi, [esi + eax]
mov ecx, 0x23
*/
strings:
$ = { E8 [4] 56 E8 [4] 8B D8 FF 76 ?? 56 E8 [4] 8B 46 ?? 8D 34 06 B9 ?? ?? ?? ?? }
condition:
any of them
}

Darkside employs also techniques for privilege escalation and UAC (User Access Control) bypass. The technique observed in this case is known as CMSTPLUA UAC Bypass and exploits the ShellExec function by CMSTPLUA COM interface {3E5FC7F9-9A51-4367-9063-A120244FBEC7}. This allow to start a process with elevated permissions, according to the following graph:

Powershell is used in order to delete shadow copies preventing the recovery of previously backed up files through them according to the following syntax:

powershell -ep bypass -c
“(0..61)|%{$s+=[char][byte](‘0x’+’4765742D576D694F626A6563742057696E33325F536861646F77
636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20′
.Substring(2*$_,2))};iex $s”
Decoded:
Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}

In this case, a quick Sigma rule, can be employed in order to hunt for similar systems-side behaviors.

title: Detects possible DarkSide infection through PowerShell cmdline used to delete Shadow copies
status: stable
description: Detects possible DarkSide infection through PowerShell cmdline used to delete Shadow copies
author: Emanuele De Lucia
references:
– internal research
tags:
– attack.t1086
– attack.t1064
date: 2020/12/01
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
– ‘\powershell.exe’
CommandLine|contains|all:
– ‘(0..61)|%%{$s+=[char][byte]’
– ‘4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20’
condition: selection
level: high

Before executing the main payload, the sample performs several other activities like information gathering (f.e. get Disks Info)

This image has an empty alt attribute; its file name is immagine-2.png

and a comparison of system services with a predefined list to stop those services that could affect the file encryption process

The following are the services malware looks for:

sql
oracle
ocssd
dbsnmp
synctime
agntsvc
isqlplussvc
xfssvccon
mydesktopservice
ocautoupds
encsvc
firefox
tbirdconfig
mydesktopqos
ocomm
dbeng50
sqbcoreservice
excel
infopath
msaccess
mspub
onenote
outlook
powerpnt
steam
thebat
thunderbird
visio
winword
wordpad
notepad

These areas can likewise be considered in order to extract bad-known pieces of code:

rule DarkSide_Ransomware_827333_39929 : CRIMEWARE {
meta:
author = “Emanuele De Lucia”
description = “Detects possible variants of DarkSide ransomware”
hash = “17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61”
/*
push 0x10020
push dword ptr [edi]
push dword ptr [ebp – 4]
call dword ptr [0xcf0e66]
mov dword ptr [ebp – 8], eax
cmp dword ptr [ebp – 8], 0
je 0xce4d83
push 0x1c
lea eax, [ebp – 0x30]
push eax
call 0xce13da
lea eax, [ebp – 0x30]
push eax
push 1
push dword ptr [ebp – 8]
call dword ptr [0xcf0e6a]
push dword ptr [ebp – 8]
call dword ptr [0xcf0e6e]
*/
strings:
$ = {68 [4] FF 37 FF 75 ?? FF 15 [4] 89 45 ?? 83 7D [2] 74 ?? 6A ?? 8D 45 ?? 50 E8 [4] 8D 45 ?? 50 6A ?? FF 75 ?? FF 15 [4] FF 75 ?? FF 15 ?? ?? ?? ??}
condition:
any of them
}

After the encryption phase, Darkside is designed to communicate to its command and control server in order to share details relating to the victim (victimID) as well as further parameters useful for recovering encrypted files and identifing the affiliate. Most probably these network capabilities have been added in order to support the R-a-a-S model. In the analyzed sample, the CnC (Command and Control) is attested over the domain name securebestapp20.com. Detecting network activities potentially related to this threat could therefore involve writing SNORT rules similar to the following:

alert udp $HOME_NET any -> any 53 (msg:”DNS request for a blacklisted domain ‘securebestapp20.com'”; content:”|0f|securebestapp20|03|com|00|”;nocase; reference:url,https://www.emanueledelucia.net/; sid:[SID HERE]; rev:1;)

This domain name has been created on 16/09/2020 and, according to my visibility, at time of writing it has an history of two (2) A record associated. The interesting one is linked to the IP 185.105.109.19. Could be interested to note that the pDNS count value for this domain name from 21/09/2020 (day of first observed resolution to 185.105.109.19) to 05/01/2021 (day of last observed resolution to 185.105.109.19) is less than 180 and that most of them occurred from early November until today. This suggest a growth of the spread and obviously of the R-a-a-S business as well. In general, moreover, this number is also consistent with the low overall volume of DarkSide campaigns observed at least until mid-November 2020. This is further confirmed by the payload-side visibility I can dispose of for this malware family. Following are shown detection hits for DarkSide malfamily up to December 2020:

Welcome to Darkside

On 11/10/2020 a user posted an announcement titled “[Affiliate Program] Darkside Ransomware” on a Russian-speaking darkweb forum. The text contained in that post officially started the project’s affiliate program. Press articles has been used in order to advertise the program itself as well as the skills of the group that are “aimed only at large corporations” as originally posted by threat actor itself:

In the affiliate program are not welcome, among others, English speaking personalities, employees of the secret service, security researchers, the greedy (at least so I seem to understand) etc.etc.

There are, moreover, some rules to be respected, like avoiding to target entities within countries belonging to the CIS (Содружество Независимых Государств), including Georgia and Ukraine, or those operating in education, medicine, public and non-profit sector.

As you might imagine for any other job, there is a selection to go through in order to be included in the program. This includes an interview to check the candidate’s skills and experiences, such having been affiliated with some other program previously.

The group offers a Windows and Linux version of DarkSide ransomware plus an admin panel, a leak site and a CDN system for data storage.

So, do you have ESXi ?

At the end of November 2020, a Linux variant (ELF64) of DarkSide ransomware was uploaded to a well-known online malware repository. It had a detection rate, at the time of upload, practically non-existent. Even at time of writing (Jan 2021) the detection rate is very low (2/63). It seems to have a quite different purpose respect to the Windows counterpart. While the latter is born to encrypt all user files on a workstation (documents, images, PDFs and so on…), the Linux version has been created to damage virtual machines on servers. Indeed, the samples looks for extensions related to VMWare files like .vmdk, .vmem, .vswp and generic logs formats.

The ransom note is similar to the Windows one

and the output of the executable, once launched, confirms the focus on ESXi environments

as /vmfs/volumes/ is the default location of ESXi virtual machines.

A strict Yara rule similar to the following can help in identifying Linux variants of DarkSide :

rule DarkSide_Ransomware_827333_39930 : CRIMEWARE {
meta:
author = “Emanuele De Lucia”
description = “Detects possible variants of Linux DarkSide ransomware variants”
hash1 = “da3bb9669fb983ad8d2ffc01aab9d56198bd9cedf2cc4387f19f4604a070a9b5”
strings:
$ = “vmdk,vmem,vswp,log” fullword ascii
$ = “XChaCha20” fullword ascii
$ = “Partial File Encryption Tool” fullword ascii
$ = “main.log” fullword ascii
condition:
(uint16(0) == 0x457f and all of them)
}

Also for the Linux version, communications to the outside world take place through the same domain name previously reported and a specially crafted URL for each victim. Through Sigma it’s possible to write rules aimed at detecting DNS resolution requests to domain name where actually the command and control is attested:

title: Detects resolution requests to DarkSide Command and Control domain name
status: stable
description: Detects resolution requests to DarkSide Command and Control domain name
references:
– https://www.emanueledelucia.net/fighting-the-darkside-ransomware/
author: Emanuele De Lucia
date: 2020/12/01
tags:
– attack.t1071.001
logsource:
category: dns
detection:
selection:
query:
– ‘securebestapp20.com’
condition: selection
falsepositives:
– internal research
level: high

Adversary Profile

From mid-November 2020, following the affiliation program, it’s currently more difficult to associate the exclusive use of DarkSide ransomware to a specific threat actor. However, some similarities with Revil suggest that its developer may be familiar with this solution until speculating that it may be from a former Revil affiliate who, to have more control over the operations and not to divide the profits, launched his own project, further enhanced by an independent affiliate program.

Regardless the specific actor behind the operations, DarkSide can be delivered via several vectors usually after gathering information about the target. According to my visibility, at least one threat actor who used DarkSide adopted the phishing technique (T1566) in order to deliver a first-stage payload whose exploitation finally allowed the distribution of DarkSide variants within the victim environment. Other intrusion techniques involve exploiting vulnerabilities in exposed applications (T1190) in order to get a first foothold from which to perform lateral movements.

MITRE ATT&CK

TechniqueTacticDescription
T1190AccessAdversaries may attempt to take advantage of a weakness in an Internet-facing application using software, data, or commands in order to cause unintended or unanticipated behavior.
T1566AccessAdversaries may send phishing messages to gain access to victim systems.
T1059.001ExecutionAdversaries may abuse PowerShell commands and scripts for execution.

T1059.005
ExecutionAdversaries may abuse VBS scripts in order to perform tasks on the victim’s machine.
T1548.002Privilege EscalationAdversaries bypass UAC mechanisms to elevate privileges on system.
T1218.003Defense EvasionAdversaries abuse CMSTP to proxy execution of malicious code.
T1140 Defense EvasionAdversaries uses obfuscated files or information to hide artifacts of an intrusion from analysis.
T1083DiscoveryAdversaries enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
T1057DiscoveryAdversaries attempt to get information about
running processes on a system.
T1071.001Command and ControlAdversaries may communicate using application layer protocols associated with web traffic.
T1486ImpactAdversaries encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.
T1489ImpactAdversaries stop or disable services on a system to render those services unavailable.

Indicators of Compromise

ObservableDescriptionValue
sha256payload-deliveryda3bb9669fb983ad8d2ffc01aab9d56198bd9cedf2cc4387f19f4604a070a9b5
sha256payload-deliverybac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0
sha256payload-delivery17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61
sha256payload-deliveryf764c49daffdacafa94aaece1d5094e0fac794639758e673440329b02c0fda39
sha256payload-deliverye0c0cbc50a9ed4d01a176497c8dba913cbbba515ea701a67ef00dcb7c8a84368
sha256payload-delivery691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5
sha256payload-delivery1667e1635736f2b2ba9727457f995a67201ddcd818496c9296713ffa18e17a43
domainnetwork-activitysecurebestapp20.com
ip-addressnetwork-activity185.105.109.19

Share:

A GuLoader health check: Q3 2020 activity of the {il}legitimate Italian malware downloader

During research and analysis activities on Q3 2020, has been possible to observe a continued activity from GuLoader while it was spreading different types of malware payloads. GuLoader is a quite well made software (or “malware”) protector and downloader. However, it’s mainly used to spread wordwide different kind of malicious artifacts.

Despite this piece of malware garnered widespread popular attention for having been related to an Italian company by a Check Point research paper, the audience of threat actors currently using it does not seem to have been affected in any way by the news.

What is GuLoader ?

GuLoader is a piece of software very well rooted in the malware business. It is a relatively new service aimed at replacing traditional packers and encryptors and has been widely adopted in the criminal underground.

It basically acts as a dropper (usually retrieving the final payload from an hardcoded URL) and therefore is part of those categories of malware that are able to deliver and spread other ones. However, the company that deals with its development and maintenance has also designed a variant capable of carrying its payload embedded in the sample itself instead of retrieving it from a URL. This is named “DarkEyE Protector“.

Anyway, one of the distinguishing features of the original GuLoader dropper is precisely that it uses URLs to download and execute further malicious components. Most of these URLs used by the malware refer to well-known cloud services like Google Drive and Microsoft OneDrive.

The typical behavioral pattern of infections attributable to GuLoader could be represented by the following graph:

Basically, an initial dropper delivered through malspam campaigns is designed to download an execute further malicious payloads.

How does it technically work ?

Long story short, I have summarized in a simplified graph the behavior of the typical GuLoader implant (please note the icon of paradise for the “Heaven’s Gate” technique :] ) as observed in the months of June and July 2020.

This software is constantly evolving, so some relationship could change from version to version but in principle it should cover a good percentage of the samples in circulation.

This graph is shown below:

How is GuLoader’s health after the media attention ?

It seems quite well! According to the visibility I have, starting from the beginning of July 2020, a total of 505 unique URLs can be linked to the threat in question. Among these we find the use of Google Drive, Microsoft OneDrive, compromised websites and infrastructures built specifically for this by threat actors.

The following graph shows a breakdown statistic in respect to the type of URLs observed in delivering final payloads starting from a GuLoader sample (note: “Others” includes compromised websites and actor controlled infrastructure):

As for the final payloads served by this dropper, below is another graph relating to the five (5) most common malware families observed (always according to the visibility I can personally dispose of):

Conclusion

This software, to date, still helps threat actors with low or no deep technical skills to evade common detection systems and carry out malicious campaigns aimed at collecting credentials, private information and in obtaining unauthorized access and control of the victim environments.

Share:

The mystery of “127.0.0.1:1” : A trick against “TheTrick”

Behind the scenes

TheTrick” is one of the community names with which we can refer to a criminal group that is responsible for the development and distribution of many malware variants, among wich “TrickBot“, “Ryuk“, “Conti“, “BazarLoader” and “BazarBackdoor“.

However, the malware vector mainly used by this adversary is certainly “TrickBot“. TrickBot is a modular piece of malware designed to allow for the inclusion of different malicious features to a starting base. This feature makes it capable of carrying out a lot of activities such as downloading and executing additional payloads, data harvesting, reconnaissance of the victim’s local network, lateral movement etc. etc.

According to visibility of my research group, however, starting from 22 September 2020 someone tried to disrupt the TrickBot botnet pushing a new configuration file to infected hosts that reported the IP address “127.0.0.1” as new command-and-control server.

127.0.0.1 is the “localhost” and obviously it’s not routable.

Beyond this, the “version” reported in this bogus file has been set to a value probably used to prevent bots from downloading a new valid configuration.

At first it was impossible to know if this configuration file was pushed voluntarily by the threat actor itself [very unlikely], by white hats attempting to disrupt the botnet, by a security vendor or by some government unit.

Until the configuration is returned to its prior state, TrickBot infected machines have been be unable to communicate with the true TrickBot command-and-control servers. However, what was well understood within my research group (while trying to understand what was happening) is that the entity that was attempting to destroy the TrickBot network had a very good knowledge about the “internals” of this threat.

Finally, on 09 October 2020The Washington Post revealed the mystery by reporting that the TrickBot disruption was the work of U.S. Cyber Command.

Botnet dismantled ?

For now it seems “No”. However, most likely this operation was not aimed at dismantling the Trickbot network permanently but instead at “…distract the adversary for at least a while as they seek to restore their operations…”. This is probably because “…the action was a bid to prevent Trickbot from being used to somehow interfere with the upcoming presidential election…”

Plausibly, operators behind TrickBot network already begun the full recovery of their network and losses. In addition, one of the potential counter-moves that the threat actor could put in place as retaliation for what happened could be an increase in money demands during ransomware-based operations.

In general, the threat landscape associated with this threat actor appears currently very lively. For example I recently came across a variant of Ryuk ransomware (associated with that group’s criminal ecosystem) compiled on September 11, 2020, suggesting a return of this after its development seemed to have been abandoned with the advent of “Conti“.

Very recently, moreover, another malware associated with the same criminal ecosystem, called BazarLoader, has been spread with practical no detection rates. Again I came across and reported on Twitter a variant of them with a detection rate of just 1/69 replying to a @James_inthe_box tweet. (https://twitter.com/James_inthe_box/status/1313523102312087553)

All of this to confirm that the group still seems very active and determined in their operations.

UPDATE: 12/10/2020

Microsoft, with the help of several ISPs around the world, took the TrickBot network down. Participants to operation obtained a court order to take down the TrickBot command and control servers thus avoiding poisoning the control and management mechanisms of agents.

 

Share: