DarkSide Ransomware group was on the news a few days with a ransomware attack against Colonial Pipeline.

 

Who is DarkSide Ransomware Group?

FBI claims attack on the Colonial Pipeline has been attributed to DarkSide Ransomware, a kind of new ransomware family that emerged on the crimeware market in the beginning of  November 2020.

DarkSide is a Ransomware-as-a-Service with the stated goal of targeting ‘large corporations.’ They are primarily focused on recruiting Russian affiliates, and are very strict on partnerships or interactions outside of that region.

DarkSide affiliate recruitment post on DarkNet.

darkside

They also have a Linux variant with interesting features. Darkside Ransomware try to following in the footsteps of successful ransomware families like Maze and Cl0p, DarkSide group established a victim data leaks PR page as further leverage to encourage ransom payouts.

darkside darkweb forum

 

Well-Organized Affiliate Network

DarkSide Ransomware gang try to improve their services, while also expanding their affiliate networks. In the beginning of November 2020, DarkSide gang  launched a more advanced Content Delivery Network (CDN) that allowed their operators to efficiently store and distribute stolen victim data. Many of their important targets found themselves listed on the victim leak page, including a number of financial, accounting, and legal firms, as well as big technology companies. 

Majority of the campaigns observed were initiated only after the enterprise had been thoroughly infected via Cobalt Strike beacon infections. After the Reconnaissance phase, the operators would deploy the Ransomware wherever it would cause the greatest disruption.

DarkSide announces improved CDN (From Exploit.in Russian Hacking Forum)

 

Targets of DarkSide

Victim organizations of DarkSide were mostly based in the United States and across multiple sectors, including financial services, manufacturing, professional services, retail, and technology. The number of publicly named victims on the DARKSIDE leak page has increased overall since August, with the exception of a significant dip in the number of victims named during January . It is applicable that the decline in January 2020 was due to DARKSIDE taking a break during the holiday season. The overall growth in the number of victims demonstrates the increasing attack of the DARKSIDE ransomware by multiple affiliates.

DARKSIDE attackers try to Exploit Public-Facing Application which means Exploit Vulnerable (SMB,SSH,SQL,RDP Servers) If an application is hosted on cloud-based infrastructure and/or is containerized, then try to exploiting it may lead to compromise of the instance or container. This can allow an attacker an easy path to access the cloud or container APIs, container host access via Escape to Host, or take advantage of weak identity and access management policies , like CVE-2021-20016 (SonicWall SMA100 SSL VPN product) for the Initial Access.

List of Victims and Sectors: 

darkside network

 

Anatomy of an Attack

Darkside ransomware attacks mostly stood out for their use of stealthy techniques.Darkside group performed a Reconnaissance for Exploiting Public Facing Applications and took more steps to ensure that their attack tools and techniques should evade detection on monitored devices and EDR solutions.

In the beginning stage attackers used Cobalt Strike beacon as a command and control mechanism also the TOR Browser executables stored inside the network shares for spreading.

Stealth attack tactics include:

  • C2 over TOR
  • Avoiding where EDR is running
  • Waiting periods & saving noisier actions for later stages of attack
  • Customized code and connection hosts for each victim
  • Obfuscation techniques like encoding and dynamic library loading (DLL)
  • Anti Forensics techniques like deleting log files inside sysmon

During the later stages of their attack, they:

  • Exfiltrate credentials stored in files, in LSASS, and on domain controllers (DC)
  • Utilize file shares to distribute attack tools and store inside file archives
  • Gain more permissions on the file shares for exfiltration 
  • Delete data  backups, including shadow copies on machine
  • Deploy Ransomware (last stage)

 

Ransom Note of DarkSide

Inside the ransom note it is encrypted and stored inside the aPLib-compressed configuration. The GUID  is generated and appended to the end of each ransom note file name.

ransomware

Technical Analysis

Static Code Analysis for DarkSide Ransomware

Generate KEY_BUFFER

During the execution, Darkside generates a 256-byte buffer. This buffer is significant since it is used to resolve APIs calls and decrypt encrypted strings/buffers inside the memory.

Call this buffer KEY_BUFFER. Key Buffer is generated using two hard-coded 16-byte keys inside the memory.

16-byte keys used to generate KEY_BUFFER

key

 

Function to generate KEY_BUFFER.

keybuffer function

Dynamic API Resolve

Darkside needs to be executed faster inside the memory and should encrypt all the data inside the victim computer so attackers use Windows System Calls to achieve this. Applications in the User-mode cannot access memory sections in the Kernel-mode. AV or EDR systems can only monitor application behaviours in the User mode, due to the Kernel Patch Protection. And the very last instance in the User mode are the Windows API functions from NTDLL.dll. If any function from NTDLL.dll is called, the CPU switches to Kernel-mode next, which cannot be monitored by AV EDR vendors anymore. The single functions of NTDLL.dll are called Syscalls. 

For example writeProcessMemory from kernel32.dll resolves as  NtProtectVirtualMemory -> NtWriteVirtualMemory -> NtProtectVirtualMemory from NTDLL.dll. The first Syscall, NtProtectVirtualMemory, sets new permissions for the process and makes it writable by them, the second one NtWriteVirtualMemory actually try to writes the bytes and the third call restores the old permissions for the process.

Inside this  Decrypted library table layout, each  data is the encrypted version of a string, and these strings can either be a DLL name or an API name. The table is laid out in such a way that data with a DLL name comes first, and data with API names exported from that particular DLL come after. If we perform the decryption on the entire table and eliminate the bytes representing the data size, we will get this image. You can find my IDAPython implementation to automatically generate it here.

darkside

 

Configuration Resolve

The encrypted configuration is stored inside the memory and ends with the DWORD 0xDEADBEEF. Calling decrypt_large_buffer() requires knowing the encrypted key buffer size, this DWORD is necessary to iteratively find the configuration size.

dark

 

The decrypted configuration has this specific layout.

  • Offset 0x0 – 0x7F: RSA-1024
  • Offset 0x80 – 0x103: RSA-1024
  • PLib-compressed configuration.

It is quite simple to spot that Darkside decompresses using the aPLib algorithm.

aPLib libraries are widely available on Github, I just grabbed a Python implementation on Github to decompress and parse the configuration into a JSON file. You can get my script to generate this JSON file here.

Below is the Darkside Ransomware full configuration of this sample in JSON format , for full format here.

ransomware analysis

 

Privilege Escalation Techniques of DarkSide’s Ransomware

If the user is not an admin, it performs a check on the user’s token information to verify if their token has the first authority value of SECURITY_BUILTIN_DOMAIN_RID and the second authority value of DOMAIN_ALIAS_RID_ADMINS.

Ransomware Function to check token’s privileges

darkside privilege escalation

 

Darkside Ransomware performs UAC bypass to relaunch itself with higher privileges. This is an old bypass trick to perform via ICMLuaUtil COM Interface. Microsoft has great documentation for this here.

The bypass is only performed if the UAC_ELEVATION_FLAG in the configuration is set to 1 as a boolean.

ransom

 

This function executes CoGetObject with the object name being Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}.

When checking with the Registry Editor, we can observe that this CLSID belongs to cmstplua.dll in system32, and CoGetObject will retrieve an ICMLuaUtil interface with an admin credential.

reg

 

Darkside Ransomware calls the interface’s ShellExec function to execute the malware again with the admin privileges.

 

Single File/Folder and Full Encryption of DarkSide’s Ransomware

Darkside Function to encrypt a single file/folder is only used when parameters are given, it is the most likely for testing only.

First, it checks if CHECK_RUSSIAN_COMP_FLAG is set to True in the configuration. If it is, then it proceeds to check if the victim’s computer’s language is Russian by parsing the outputs of GetUserDefaultLangID and GetSystemDefaultUILanguage.

If the computer language is set Russian, it exits immediately.

exit immidiately

 

I. Encrypt UNC Server Path

It checks if the file path is a path to a UNC server by calling PathIsUNCServerW. If it is, the UNC encryption function is called to encrypt data in UNC Server. In this function, Darkside enumerates through all SMB using NetShareEnum, builds a valid UNC network path for each, and calls the main_encryption function to encrypt all of them.

unc server

 

II. Encrypt Normal Path

If a path does not lead to a UNC server, Darkside will build the valid path accordingly by checking if the path is a network path, a path to a mounted network drive, or just a normal path on the system.

normal path

 

Connecting To C2 & Sending Victim Information

If CONFIG_C2_URL_FLAG is set to True and the C2 URL is provided in the configuration, it will send the victim’s Operating System information to the C2 server.

The function to extract user’s Operating System information uses functions such as GetUserNameW, GetComputerNameW, MachinePreferredUILanguage to find these informations.

connecting

 

After extracting everything, it will write all the data into a string format in this JSON form.

stolen data

 

Darkside Ransomware uses InternetOpenW and InternetConnectW API’s to open a handle an Firefox/80.0 Internet application and connect to the C2 server at port 443.

connection port

 

After connection is established by victim, it sends POST requests to the C2 using HttpOpenRequestW, decrypts the HTTP header, sets internet options using InternetSetOptionW, and finally sends the packets with the generated content buffer and finally, Darkside calls HttpQueryInfoW to query the status code and check to see if the packet is sent successfully.

Ransomware build configuration options appearing in the administration panel (Malware hash changes every times when attacker clicked to build button)

c2

 

Deletion Techniques for Shadow Copies of DarkSide

If the DELETE_SHADOW_COPIES_FLAG in the configuration is set to True, Darkside will try to delete all shadow data copies on the system. There are two different functions to accomplish this task based on the machine system architecture.

If the machine is a 64-bit Windows OS, it tries to decrypt a CMD command and executes it using CreateProcessW.

Executing a Powershell script to delete all shadow copies

shadow copy

 

Below is the decrypted CMD command.

bypass

 

This command loops 61 times, extracts 2 characters at a time, converts it into a byte, and converts that byte as a ASCII character.

Decoding this string will produce this Powershell command, which gets each Win32_Shadowcopy object on then deletes it.

ps

 

Sending C2 Server Encryption Stats

After the encryption is finished and if the CONFIG_C2_URL_FLAG is set to True by default in the configuration, Darkside will try to send the C2 server the final encryption status.

It’s decrypts the format string for this packet and starts to write the victim ID, UID, encrypted file count as a INT, encryption size, skipped file count, and elapsed time into this format string.

c2 stats

 

RSA-1024 Encryption

Darkside custom RSA-1024 implementation for Encryption is used to encrypt the Salsa20 matrix before the end of the encrypted files.

RSA-1024 public key is embedded inside Darkside encrypted configurations, and it’s divided into two data blobs.

encrypiton

 

After Initial Access

From our investigation into DarkSide Ransomware samples, we see that phishing attacks, remote desktop protocol (RDP), or exploiting known vulnerabilities were the tactics to used for gain initial access on the victim machine. Attackers also use public hacking tools during the attack process to remain undetected and obfuscate their attack. 

During the Reconnaissance and gaining entry phases, we saw these tools used for various reasons:

  • PowerShell – reconnaissance, persistence
  • Metasploit Framework – for reconnaissance
  • Mimikatz – for OS Credential Dumping
  • Bloodhound – Reconnaissance for  Lateral Movement
  • CobaltStrike – Initial Access and Lateral Movement via SMB

After attackers get the Initial Access, Darkside gang are able to move laterally in victim environments almost exclusively via RDP using legitimate credentials of users , Windows Remote Management and Cobalt Strike BEACON payloads. This threat cluster uses both HTTPS BEACON payloads and SMB.

Darkside has used the following directories, placing copies of backdoors, ransomware binaries, PsExec, and lists of victim hosts within them.

  • C:\run\
  • C:\home\
  • C:\tara\
  • C:\Users\[username]\Music\
  • C:\Users\Public

Threat actor leveraged TeamViewer (TeamViewer_Setup.exe) to establish persistence within the victim environment. Available evidence suggests that the attacker downloads TeamViewer binary directly from the following URL and also browsed for locations from which they could download the AnyDesk utility.(dl.teamviewer[.]com/download/version_15x/TeamViewer_Setup.exe)

Darkside attackers using rclone tool in order to exfiltrate hundreds of gigabytes of data over the SMB protocol to the cloud based hosting and storage service.(downloads.rclone[.]org/v1.54.0/rclone-v1.54.0-windows-amd64.zip.)

After successfully gaining a Initial Access on victim machine in the environment, the attacker begins to move laterally in that environment, with the main goal of conquering the Domain Controller (DC)

Using reg.exe to steal credentials stored inside the SAM hive on the DC

gain access

 

Credential harvesting, the attacker mined credentials from User profile folders, including:

  • Users\<username>\Appdata\[Roaming\Local]\Microsoft [Credentials\Vault]
  • Users\<username>\Appdata\Roaming\Mozilla\Firefox\Profiles
  • Users\<username>\\Appdata\Local\Google\Chrome

The DarkSide attackers used Invoke-mimikatXz.ps1 to extract credentials from LSASS and stored them in a file called “dump.txt.” This operation was performed on a high-value target with minimal detective capabilities.

tasks

 

MITRE ATT&CK Techniques used by DarkSide Hackers

Reconnaissance

  • T1590 (Gather Victim Network Information)

Initial Access

  • T1078(Valid Accounts)
  • T1566(Phishing)
  • T1190(Exploit Public-Facing Application)

Execution

  • T1059.004(Command and Scripting Interpreter: Unix Shell)
  • T1059.001(Command and Scripting Interpreter: PowerShell)
  • T1569(System Services)

Persistence

  • T1078 (Valid Accounts)
  • T1053 (Scheduled Task/Job)
  • T1098 (Account Manipulation)

Privilege Escalation

  • T1548.002 (Abuse Elevation Control Mechanism: Bypass User Account Control)
  • T1036 (Masquerading)
  • T1140 (Deobfuscate / Decode Files or Information)

Defense Evasion

  • T1222.002 (File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification)
  • T1214 (Credentials in Registry)
  • T1083 (File and Directory Discovery)
  • T1055 (Process Injection: Dynamic-link Library Injection)
  • T1500 (Compile After Delivery )
  • T1562.001 (Impair Defenses: Disable or Modify Tools)

Credential Access

  • T1555 (Credentials from Password Stores
  • T1082 (System Information Discovery)
  • T1071 (Standard Application Layer Protocol)
  • T1057 (Process Discovery)
  • T1555.003 (Credentials from Password Stores: Credentials from Web Browsers)

Discovery

  • T1087 (Account Discovery)
  • T1105 (Remote File Copy)
  • T1490 (Inhibit System Recovery)
  • T1105 (Ingress Tool Transfer)
  • T1087.002 (Account Discovery: Domain Account)
  • T1482 (Domain Trust Discovery)
  • T1069.002 (Permission Groups Discovery: Domain Groups)
  • T1018 (Remote System Discovery)
  • T1016 (System Network Configurartion Discovery)

Lateral Movement

  • T1080 (Taint Shared Content)
  • T1486 (Data Encrypted for Impact)

Collection

  • T1113 (Screen Capture)

Command and Control

  • T1043 (Commonly Used Port)

Exfiltration

  • T1567.002 (Exfiltration Over Web Service: Exfiltration to Cloud Storage)
  • T1048 (Exfiltration Over Alternative Protocol)

Impact

  • T1489 (Service Stop)

 

Mitigations against DarkSide Ransomware Group

  • Require multi-factor authentication for remote access to OT and IT networks.
  • Enable strong spam filters to prevent phishing emails from reaching end users. Filter emails containing executable files from reaching end users.
  • Implement a user training program and simulated attacks for spearphishing to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spear phishing emails.
  • Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and/or allow lists.
  • Update software, including operating systems, applications, and firmware on IT network assets, in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program.
  • Limit access to resources over networks, especially by restricting RDP. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication.
  • Set antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date signatures. Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.
  • Implement unauthorized execution prevention by
    • Disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.
    • Implementing application allowlisting, which only allows systems to execute programs known and permitted by security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/decompression programs, including the AppData/LocalAppData folder.
    • Monitor and/or block inbound connections from Tor exit nodes and other anonymization services to IP addresses and ports for which external connections are not expected (i.e., other than VPN gateways, mail ports, web ports). For more guidance, refer to Joint Cybersecurity Advisory AA20-183A: Defending Against Malicious Cyber Activity Originating from Tor.Deploy signatures to detect and/or block inbound connection from Cobalt Strike servers and other post exploitation tools.

 

IOC

According to our research IOC information of DarkSide Ransomware group is given below.

 

DarkSide Ransomware SHA-256 Hash:

  • 06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8
  • 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d
  • 12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975
  • 151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5
  • 1667e1635736f2b2ba9727457f995a67201ddcd818496c9296713ffa18e17a43
  • 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61
  • 1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb
  • 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60
  • 27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f
  • 3dabd40d564cf8a8163432abc38768b0a7d45f0fc1970d802dc33b9109feb6a6
  • 43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa
  • 691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5
  • 78782fd324bc98a57274bd3fff8f756217c011484ebf6b614060115a699ee134
  • 8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc
  • 9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297
  • ac092962654b46a670b030026d07f5b8161cecd2abd6eece52b7892965aa521b

 

104.193.252[.]197:443 BEACON C2
162.244.81[.]253:443 BEACON C2
185.180.197[.]86:443 BEACON C2
athaliaoriginals[.]com BEACON C2
lagrom[.]com BEACON C2
ctxinit.azureedge[.]net BEACON C2
45.77.64[.]111 Login Source
181ab725468cc1a8f28883a95034e17d BEACON Sample

Bonus

One of the seven CDN servers of DarkSide ransomware gang is still alive. (DarkSide has stored their leaked data here)

cdn data

 

The source code of the CDN server on the Darkweb created by the DarkSide ransomware gang contains annotations in Russian.

darkside

 

According to the analysis and research, we guess DarSide ransomware group will not stop.  To be safe, you can think about professionnel Cyber Threat Intelligence services…