FBI claims attack on the Colonial Pipeline has been attributed to DarkSide Ransomware, a kind of new ransomware family that emerged on the crimeware market at the beginning of November 2020.
DarkSide is a Ransomware-as-a-Service with the stated goal of targeting ‘large corporations.’ They are primarily focused on recruiting Russian affiliates and are very strict on partnerships or interactions outside of that region.
DarkSide affiliate recruitment post on DarkNet.
They also have a Linux variant with interesting features. Darkside Ransomware tries to follow in the footsteps of successful ransomware families like Maze and Cl0p, DarkSide group established a victim data leaks PR page as further leverage to encourage ransom payouts.
DarkSide Ransomware gang tries to improve its services, while also expanding its affiliate networks. At the beginning of November 2020, DarkSide gang launched a more advanced Content Delivery Network (CDN) that allowed their operators to efficiently store and distribute stolen victim data. Many of their important targets found themselves listed on the victim leak page, including a number of financial, accounting, and legal firms, as well as big technology companies.
The majority of the campaigns observed were initiated only after the enterprise had been thoroughly infected via Cobalt Strike beacon infections. After the Reconnaissance phase, the operators would deploy the Ransomware wherever it would cause the greatest disruption.
DarkSide announces improved CDN (From Exploit. in Russian Hacking Forum)
Victim organizations of DarkSide were mostly based in the United States and across multiple sectors, including financial services, manufacturing, professional services, retail, and technology. The number of publicly named victims on the DARKSIDE leak page has increased overall since August, with the exception of a significant dip in the number of victims named during January. It is applicable that the decline in January 2020 was due to DARKSIDE taking a break during the holiday season. The overall growth in the number of victims demonstrates the increasing attack of the DARKSIDE ransomware by multiple affiliates.
DARKSIDE attackers try to Exploit Public-Facing Applications which means Exploit Vulnerable (SMB, SSH, SQL, RDP Servers) If an application is hosted on cloud-based infrastructure and/or is containerized, then try exploiting it may lead to compromise of the instance or container. This can allow an attacker an easy path to access the cloud or container APIs, container host access via Escape to Host, or take advantage of weak identity and access management policies, like CVE-2021-20016 (SonicWall SMA100 SSL VPN product) for the Initial Access.
List of Victims and Sectors:
Darkside ransomware attacks mostly stood out for their use of stealthy techniques. The darkside group performed a Reconnaissance for Exploiting Public Facing Applications and took more steps to ensure that their attack tools and techniques should evade detection on monitored devices and EDR solutions.
In the beginning stage attackers used Cobalt Strike beacon as a command and control mechanism also the TOR Browser executables stored inside the network shares for spreading.
Stealth attack tactics include:
During the later stages of their attack, they:
Inside the ransom note, it is encrypted and stored inside the aPLib-compressed configuration. The GUID is generated and appended to the end of each ransom note file name.
During the execution, Darkside generates a 256-byte buffer. This buffer is significant since it is used to resolve APIs calls and decrypt encrypted strings/buffers inside the memory.
Call this buffer KEY_BUFFER. Key Buffer is generated using two hard-coded 16-byte keys inside the memory.
16-byte keys used to generate KEY_BUFFER
Function to generate KEY_BUFFER.
Darkside needs to be executed faster inside the memory and should encrypt all the data inside the victim computer so attackers use Windows System Calls to achieve this. Applications in the User-mode cannot access memory sections in the Kernel-mode. AV or EDR systems can only monitor application behaviours in the User mode, due to the Kernel Patch Protection. And the very last instance in the User mode is the Windows API functions from NTDLL.dll. If any function from NTDLL.dll is called, the CPU switches to Kernel mode next, which cannot be monitored by AV EDR vendors anymore. The single functions of NTDLL.dll are called Syscalls.
For example writeProcessMemory from kernel32.dll resolves as NtProtectVirtualMemory -> NtWriteVirtualMemory -> NtProtectVirtualMemory from NTDLL.dll. The first Syscall, NtProtectVirtualMemory, sets new permissions for the process and makes it writable by them, the second one NtWriteVirtualMemory actually tries to write the bytes and the third call restores the old permissions for the process.
Inside this Decrypted library table layout, each data is the encrypted version of a string, and these strings can either be a DLL name or an API name. The table is laid out in such a way that data with a DLL name comes first, and data with API names exported from that particular DLL come after. If we perform the decryption on the entire table and eliminate the bytes representing the data size, we will get this image. You can find my IDAPython implementation to automatically generate it here.
The encrypted configuration is stored inside the memory and ends with the DWORD 0xDEADBEEF. Calling decrypt_large_buffer() requires knowing the encrypted key buffer size, this DWORD is necessary to iteratively find the configuration size.
The decrypted configuration has this specific layout.
It is quite simple to spot that Darkside decompresses using the aPLib algorithm.
aPLib libraries are widely available on Github, I just grabbed a Python implementation on Github to decompress and parse the configuration into a JSON file. You can get my script to generate this JSON file here.
Below is the Darkside Ransomware full configuration of this sample in JSON format, for full format here.
If the user is not an admin, it performs a check on the user’s token information to verify if their token has the first authority value of SECURITY_BUILTIN_DOMAIN_RID and the second authority value of DOMAIN_ALIAS_RID_ADMINS.
Ransomware Function to check token’s privileges
Darkside Ransomware performs UAC bypass to relaunch itself with higher privileges. This is an old bypass trick to perform via ICMLuaUtil COM Interface. Microsoft has great documentation for this here.
The bypass is only performed if the UAC_ELEVATION_FLAG in the configuration is set to 1 as a boolean.
This function executes CoGetObject with the object name being Elevation: Administrator! new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}.
When checking with the Registry Editor, we can observe that this CLSID belongs to cmstplua.dll in system32, and CoGetObject will retrieve an ICMLuaUtil interface with an admin credential.
Darkside Ransomware calls the interface’s ShellExec function to execute the malware again with the admin privileges.
Darkside Function to encrypt a single file/folder is only used when parameters are given, it is the most likely for testing only.
First, it checks if CHECK_RUSSIAN_COMP_FLAG is set to True in the configuration. If it is, then it proceeds to check if the victim’s computer’s language is Russian by parsing the outputs of GetUserDefaultLangID and GetSystemDefaultUILanguage.
If the computer language is set Russian, it exits immediately.
It checks if the file path is a path to a UNC server by calling PathIsUNCServerW. If it is, the UNC encryption function is called to encrypt data in UNC Server. In this function, Darkside enumerates through all SMB using NetShareEnum, builds a valid UNC network path for each, and calls the main_encryption function to encrypt all of them.
If a path does not lead to a UNC server, Darkside will build the valid path accordingly by checking if the path is a network path, a path to a mounted network drive, or just a normal path on the system.
If CONFIG_C2_URL_FLAG is set to True and the C2 URL is provided in the configuration, it will send the victim’s Operating System information to the C2 server.
The function to extract the user’s Operating System information uses functions such as GetUserNameW, GetComputerNameW, MachinePreferredUILanguage to find this information.
After extracting everything, it will write all the data into a string format in this JSON form.
Darkside Ransomware uses InternetOpenW and InternetConnectW API’s to open a handle a Firefox/80.0 Internet application and connect to the C2 server at port 443.
After the connection is established by the victim, it sends POST requests to the C2 using HttpOpenRequestW, decrypts the HTTP header, sets internet options using InternetSetOptionW, and finally sends the packets with the generated content buffer and finally, Darkside calls HttpQueryInfoW to query the status code and check to see if the packet is sent successfully.
Ransomware build configuration options appearing in the administration panel (Malware hash changes every time when attacker clicked to build button)
If the DELETE_SHADOW_COPIES_FLAG in the configuration is set to True, Darkside will try to delete all shadow data copies on the system. There are two different functions to accomplish this task based on the machine system architecture.
If the machine is a 64-bit Windows OS, it tries to decrypt a CMD command and executes it using CreateProcessW.
Executing a Powershell script to delete all shadow copies
Below is the decrypted CMD command.
This command loops 61 times, extracts 2 characters at a time, converts it into a byte, and converts that byte as an ASCII character.
Decoding this string will produce this Powershell command, which gets each Win32_Shadowcopy object on and then deletes it.
After the encryption is finished and if the CONFIG_C2_URL_FLAG is set to True by default in the configuration, Darkside will try to send the C2 server the final encryption status.
It decrypts the format string for this packet and starts to write the victim ID, UID, encrypted file count as an INT, encryption size, skipped file count, and elapsed time into this format string.
Darkside custom RSA-1024 implementation for Encryption is used to encrypt the Salsa20 matrix before the end of the encrypted files.
RSA-1024 public key is embedded inside Darkside encrypted configurations, and it’s divided into two data blobs.
From our investigation into DarkSide Ransomware samples, we see that phishing attacks, remote desktop protocol (RDP), or exploiting known vulnerabilities were the tactics to used gain initial access to the victim machine. Attackers also use public hacking tools during the attack process to remain undetected and obfuscate their attack.
During the Reconnaissance and gaining entry phases, we saw these tools used for various reasons:
After attackers get the Initial Access, Darkside gang is able to move laterally in victim environments almost exclusively via RDP using legitimate credentials of users , Windows Remote Management, and Cobalt Strike BEACON payloads. This threat cluster uses both HTTPS BEACON payloads and SMB.
Darkside has used the following directories, placing copies of backdoors, ransomware binaries, PsExec, and lists of victim hosts within them.
The threat actor leveraged TeamViewer (TeamViewer_Setup.exe) to establish persistence within the victim environment. Available evidence suggests that the attacker downloads TeamViewer binary directly from the following URL and also browsed for locations from which they could download the AnyDesk utility.(dl.teamviewer[.]com/download/version_15x/TeamViewer_Setup.exe)
Darkside attackers using rclone tool in order to exfiltrate hundreds of gigabytes of data over the SMB protocol to the cloud-based hosting and storage service.(downloads.rclone[.]org/v1.54.0/rclone-v1.54.0-windows-amd64.zip.)
After successfully gaining Initial Access on victim machine in the environment, the attacker begins to move laterally in that environment, with the main goal of conquering the Domain Controller (DC)
Using reg.exe to steal credentials stored inside the SAM hive on the DC
Credential harvesting, the attacker mined credentials from User profile folders, including:
The DarkSide attackers used Invoke-mimikatXz.ps1 to extract credentials from LSASS and stored them in a file called “dump.txt.” This operation was performed on a high-value target with minimal detective capabilities.
Reconnaissance
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
According to our research IOC information of DarkSide Ransomware group is given below.
DarkSide Ransomware SHA-256 Hash:
| 104.193.252[.]197:443 | BEACON C2 |
| 162.244.81[.]253:443 | BEACON C2 |
| 185.180.197[.]86:443 | BEACON C2 |
| athaliaoriginals[.]com | BEACON C2 |
| lagrom[.]com | BEACON C2 |
| ctxinit.azureedge[.]net | BEACON C2 |
| 45.77.64[.]111 | Login Source |
| 181ab725468cc1a8f28883a95034e17d | BEACON Sample |
One of the seven CDN servers of DarkSide ransomware gang is still alive. (DarkSide has stored their leaked data here)
The source code of the CDN server on the Darkweb created by the DarkSide ransomware gang contains annotations in Russian.
According to the analysis and research, we guess DarSide ransomware group will not stop. To be safe, you can think about professional Cyber Threat Intelligence services…
