FBI claims attack on the Colonial Pipeline has been attributed to DarkSide Ransomware, a kind of new ransomware family that emerged on the crimeware market at the beginning of November 2020.
DarkSide is a Ransomware-as-a-Service with the stated goal of targeting ‘large corporations.’ They are primarily focused on recruiting Russian affiliates and are very strict on partnerships or interactions outside of that region.
DarkSide affiliate recruitment post on DarkNet.
They also have a Linux variant with interesting features. Darkside Ransomware tries to follow in the footsteps of successful ransomware families like Maze and Cl0p, DarkSide group established a victim data leaks PR page as further leverage to encourage ransom payouts.
Well-Organized Affiliate Network
DarkSide Ransomware gang tries to improve its services, while also expanding its affiliate networks. At the beginning of November 2020, DarkSide gang launched a more advanced Content Delivery Network (CDN) that allowed their operators to efficiently store and distribute stolen victim data. Many of their important targets found themselves listed on the victim leak page, including a number of financial, accounting, and legal firms, as well as big technology companies.
The majority of the campaigns observed were initiated only after the enterprise had been thoroughly infected via Cobalt Strike beacon infections. After the Reconnaissance phase, the operators would deploy the Ransomware wherever it would cause the greatest disruption.
DarkSide announces improved CDN (From Exploit. in Russian Hacking Forum)
Targets of DarkSide
Victim organizations of DarkSide were mostly based in the United States and across multiple sectors, including financial services, manufacturing, professional services, retail, and technology. The number of publicly named victims on the DARKSIDE leak page has increased overall since August, with the exception of a significant dip in the number of victims named during January. It is applicable that the decline in January 2020 was due to DARKSIDE taking a break during the holiday season. The overall growth in the number of victims demonstrates the increasing attack of the DARKSIDE ransomware by multiple affiliates.
DARKSIDE attackers try to Exploit Public-Facing Applications which means Exploit Vulnerable (SMB, SSH, SQL, RDP Servers) If an application is hosted on cloud-based infrastructure and/or is containerized, then try exploiting it may lead to compromise of the instance or container. This can allow an attacker an easy path to access the cloud or container APIs, container host access via Escape to Host, or take advantage of weak identity and access management policies, like CVE-2021-20016 (SonicWall SMA100 SSL VPN product) for the Initial Access.
List of Victims and Sectors:
Anatomy of an Attack
Darkside ransomware attacks mostly stood out for their use of stealthy techniques. The darkside group performed a Reconnaissance for Exploiting Public Facing Applications and took more steps to ensure that their attack tools and techniques should evade detection on monitored devices and EDR solutions.
In the beginning stage attackers used Cobalt Strike beacon as a command and control mechanism also the TOR Browser executables stored inside the network shares for spreading.
Stealth attack tactics include:
C2 over TOR
Avoiding where EDR is running
Waiting periods & saving noisier actions for later stages of the attack
Customized code and connection hosts for each victim
Obfuscation techniques like encoding and dynamic library loading (DLL)
Anti Forensics techniques like deleting log files inside sysmon
During the later stages of their attack, they:
Exfiltrate credentials stored in files, in LSASS, and on domain controllers (DC)
Utilize file shares to distribute attack tools and store them inside file archives
Gain more permissions on the file shares for exfiltration
Delete data backups, including shadow copies on the machine
Deploy Ransomware (last stage)
Ransom Note of DarkSide
Inside the ransom note, it is encrypted and stored inside the aPLib-compressed configuration. The GUID is generated and appended to the end of each ransom note file name.
Technical Analysis
Static Code Analysis for DarkSide Ransomware
Generate KEY_BUFFER
During the execution, Darkside generates a 256-byte buffer. This buffer is significant since it is used to resolve APIs calls and decrypt encrypted strings/buffers inside the memory.
Call this buffer KEY_BUFFER. Key Buffer is generated using two hard-coded 16-byte keys inside the memory.
16-byte keys used to generate KEY_BUFFER
Function to generate KEY_BUFFER.
Dynamic API Resolve
Darkside needs to be executed faster inside the memory and should encrypt all the data inside the victim computer so attackers use Windows System Calls to achieve this. Applications in the User-mode cannot access memory sections in the Kernel-mode. AV or EDR systems can only monitor application behaviours in the User mode, due to the Kernel Patch Protection. And the very last instance in the User mode is the Windows API functions from NTDLL.dll. If any function from NTDLL.dll is called, the CPU switches to Kernel mode next, which cannot be monitored by AV EDR vendors anymore. The single functions of NTDLL.dll are called Syscalls.
For example writeProcessMemory from kernel32.dll resolves as NtProtectVirtualMemory -> NtWriteVirtualMemory -> NtProtectVirtualMemory from NTDLL.dll. The first Syscall, NtProtectVirtualMemory, sets new permissions for the process and makes it writable by them, the second one NtWriteVirtualMemory actually tries to write the bytes and the third call restores the old permissions for the process.
Inside this Decrypted library table layout, each data is the encrypted version of a string, and these strings can either be a DLL name or an API name. The table is laid out in such a way that data with a DLL name comes first, and data with API names exported from that particular DLL come after. If we perform the decryption on the entire table and eliminate the bytes representing the data size, we will get this image. You can find my IDAPython implementation to automatically generate it here.
Configuration Resolve
The encrypted configuration is stored inside the memory and ends with the DWORD 0xDEADBEEF. Calling decrypt_large_buffer() requires knowing the encrypted key buffer size, this DWORD is necessary to iteratively find the configuration size.
The decrypted configuration has this specific layout.
Offset 0x0 – 0x7F: RSA-1024
Offset 0x80 – 0x103: RSA-1024
PLib-compressed configuration.
It is quite simple to spot that Darkside decompresses using the aPLib algorithm.
aPLib libraries are widely available on Github, I just grabbed a Python implementation on Github to decompress and parse the configuration into a JSON file. You can get my script to generate this JSON file here.
Below is the Darkside Ransomware full configuration of this sample in JSON format, for full format here.
Privilege Escalation Techniques of DarkSide’s Ransomware
If the user is not an admin, it performs a check on the user’s token information to verify if their token has the first authority value of SECURITY_BUILTIN_DOMAIN_RID and the second authority value of DOMAIN_ALIAS_RID_ADMINS.
Ransomware Function to check token’s privileges
Darkside Ransomware performs UAC bypass to relaunch itself with higher privileges. This is an old bypass trick to perform via ICMLuaUtil COM Interface. Microsoft has great documentation for this here.
The bypass is only performed if the UAC_ELEVATION_FLAG in the configuration is set to 1 as a boolean.
This function executes CoGetObject with the object name being Elevation: Administrator! new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}.
When checking with the Registry Editor, we can observe that this CLSID belongs to cmstplua.dll in system32, and CoGetObject will retrieve an ICMLuaUtil interface with an admin credential.
Darkside Ransomware calls the interface’s ShellExec function to execute the malware again with the admin privileges.
Single File/Folder and Full Encryption of DarkSide’s Ransomware
Darkside Function to encrypt a single file/folder is only used when parameters are given, it is the most likely for testing only.
First, it checks if CHECK_RUSSIAN_COMP_FLAG is set to True in the configuration. If it is, then it proceeds to check if the victim’s computer’s language is Russian by parsing the outputs of GetUserDefaultLangID and GetSystemDefaultUILanguage.
If the computer language is set Russian, it exits immediately.
I. Encrypt UNC Server Path
It checks if the file path is a path to a UNC server by calling PathIsUNCServerW. If it is, the UNC encryption function is called to encrypt data in UNC Server. In this function, Darkside enumerates through all SMB using NetShareEnum, builds a valid UNC network path for each, and calls the main_encryption function to encrypt all of them.
II. Encrypt Normal Path
If a path does not lead to a UNC server, Darkside will build the valid path accordingly by checking if the path is a network path, a path to a mounted network drive, or just a normal path on the system.
Connecting To C2 & Sending Victim Information
If CONFIG_C2_URL_FLAG is set to True and the C2 URL is provided in the configuration, it will send the victim’s Operating System information to the C2 server.
The function to extract the user’s Operating System information uses functions such as GetUserNameW, GetComputerNameW, MachinePreferredUILanguage to find this information.
After extracting everything, it will write all the data into a string format in this JSON form.
Darkside Ransomware uses InternetOpenW and InternetConnectW API’s to open a handle a Firefox/80.0 Internet application and connect to the C2 server at port 443.
After the connection is established by the victim, it sends POST requests to the C2 using HttpOpenRequestW, decrypts the HTTP header, sets internet options using InternetSetOptionW, and finally sends the packets with the generated content buffer and finally, Darkside calls HttpQueryInfoW to query the status code and check to see if the packet is sent successfully.
Ransomware build configuration options appearing in the administration panel (Malware hash changes every time when attacker clicked to build button)
Deletion Techniques for Shadow Copies of DarkSide
If the DELETE_SHADOW_COPIES_FLAG in the configuration is set to True, Darkside will try to delete all shadow data copies on the system. There are two different functions to accomplish this task based on the machine system architecture.
If the machine is a 64-bit Windows OS, it tries to decrypt a CMD command and executes it using CreateProcessW.
Executing a Powershell script to delete all shadow copies
Below is the decrypted CMD command.
This command loops 61 times, extracts 2 characters at a time, converts it into a byte, and converts that byte as an ASCII character.
Decoding this string will produce this Powershell command, which gets each Win32_Shadowcopy object on and then deletes it.
Sending C2 Server Encryption Stats
After the encryption is finished and if the CONFIG_C2_URL_FLAG is set to True by default in the configuration, Darkside will try to send the C2 server the final encryption status.
It decrypts the format string for this packet and starts to write the victim ID, UID, encrypted file count as an INT, encryption size, skipped file count, and elapsed time into this format string.
RSA-1024 Encryption
Darkside custom RSA-1024 implementation for Encryption is used to encrypt the Salsa20 matrix before the end of the encrypted files.
RSA-1024 public key is embedded inside Darkside encrypted configurations, and it’s divided into two data blobs.
After Initial Access
From our investigation into DarkSide Ransomware samples, we see that phishing attacks, remote desktop protocol (RDP), or exploiting known vulnerabilities were the tactics to used gain initial access to the victim machine. Attackers also use public hacking tools during the attack process to remain undetected and obfuscate their attack.
During the Reconnaissance and gaining entry phases, we saw these tools used for various reasons:
PowerShell – reconnaissance, persistence
Metasploit Framework – for reconnaissance
Mimikatz – for OS Credential Dumping
Bloodhound – Reconnaissance for Lateral Movement
CobaltStrike – Initial Access and Lateral Movement via SMB
After attackers get the Initial Access, Darkside gang is able to move laterally in victim environments almost exclusively via RDP using legitimate credentials of users , Windows Remote Management, and Cobalt Strike BEACON payloads. This threat cluster uses both HTTPS BEACON payloads and SMB.
Darkside has used the following directories, placing copies of backdoors, ransomware binaries, PsExec, and lists of victim hosts within them.
C:\run\
C:\home\
C:\tara\
C:\Users\[username]\Music\
C:\Users\Public
The threat actor leveraged TeamViewer (TeamViewer_Setup.exe) to establish persistence within the victim environment. Available evidence suggests that the attacker downloads TeamViewer binary directly from the following URL and also browsed for locations from which they could download the AnyDesk utility.(dl.teamviewer[.]com/download/version_15x/TeamViewer_Setup.exe)
Darkside attackers using rclone tool in order to exfiltrate hundreds of gigabytes of data over the SMB protocol to the cloud-based hosting and storage service.(downloads.rclone[.]org/v1.54.0/rclone-v1.54.0-windows-amd64.zip.)
After successfully gaining Initial Access on victim machine in the environment, the attacker begins to move laterally in that environment, with the main goal of conquering the Domain Controller (DC)
Using reg.exe to steal credentials stored inside the SAM hive on the DC
Credential harvesting, the attacker mined credentials from User profile folders, including:
The DarkSide attackers used Invoke-mimikatXz.ps1 to extract credentials from LSASS and stored them in a file called “dump.txt.” This operation was performed on a high-value target with minimal detective capabilities.
MITRE ATT&CK Techniques Used by DarkSide Hackers
Reconnaissance
T1590 (Gather Victim Network Information)
Initial Access
T1078(Valid Accounts)
T1566(Phishing)
T1190(Exploit Public-Facing Application)
Execution
T1059.004(Command and Scripting Interpreter: Unix Shell)
T1059.001(Command and Scripting Interpreter: PowerShell)
T1569(System Services)
Persistence
T1078 (Valid Accounts)
T1053 (Scheduled Task/Job)
T1098 (Account Manipulation)
Privilege Escalation
T1548.002 (Abuse Elevation Control Mechanism: Bypass User Account Control)
T1036 (Masquerading)
T1140 (Deobfuscate / Decode Files or Information)
Defense Evasion
T1222.002 (File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification)
T1562.001 (Impair Defenses: Disable or Modify Tools)
Credential Access
T1555 (Credentials from Password Stores
T1082 (System Information Discovery)
T1071 (Standard Application Layer Protocol)
T1057 (Process Discovery)
T1555.003 (Credentials from Password Stores: Credentials from Web Browsers)
Discovery
T1087 (Account Discovery)
T1105 (Remote File Copy)
T1490 (Inhibit System Recovery)
T1105 (Ingress Tool Transfer)
T1087.002 (Account Discovery: Domain Account)
T1482 (Domain Trust Discovery)
T1069.002 (Permission Groups Discovery: Domain Groups)
T1018 (Remote System Discovery)
T1016 (System Network Configuration Discovery)
Lateral Movement
T1080 (Taint Shared Content)
T1486 (Data Encrypted for Impact)
Collection
T1113 (Screen Capture)
Command and Control
T1043 (Commonly Used Port)
Exfiltration
T1567.002 (Exfiltration Over Web Service: Exfiltration to Cloud Storage)
T1048 (Exfiltration Over Alternative Protocol)
Impact
T1489 (Service Stop)
Mitigations against DarkSide Ransomware Group
Require multi-factor authentication for remote access to OT and IT networks.
Enable strong spam filters to prevent phishing emails from reaching end users. Filter emails containing executable files from reaching end users.
Implement a user training program and simulated attacks for spearphishing to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spear phishing emails.
Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and/or allow lists.
Update software, including operating systems, applications, and firmware on IT network assets, in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program.
Limit access to resources over networks, especially by restricting RDP. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication.
Set antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date signatures. Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.
Implement unauthorized execution prevention by:
Disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.
Implementing application allow listing, which only allows systems to execute programs known and permitted by security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular Internet browsers or compression/decompression programs, including the AppData/LocalAppData folder.
Monitor and/or block inbound connections from Tor exit nodes and other anonymization services to IP addresses and ports for which external connections are not expected (i.e., other than VPN gateways, mail ports, and web ports). For more guidance, refer to Joint Cybersecurity Advisory AA20-183A: Defending Against Malicious Cyber Activity Originating from Tor. Deploy signatures to detect and/or block inbound connections from Cobalt Strike servers and other post-exploitation tools.
IOC
According to our research IOC information of DarkSide Ransomware group is given below.
DarkSide Ransomware SHA-256 Hash:
One of the seven CDN servers of DarkSide ransomware gang is still alive. (DarkSide has stored their leaked data here)
The source code of the CDN server on the Darkweb created by the DarkSide ransomware gang contains annotations in Russian.
According to the analysis and research, we guess DarSide ransomware group will not stop. To be safe, you can think about professional Cyber Threat Intelligence services…
