Malware Wars: DarkSide Strikes Back as BlackMatter

all right everyone hi thank you so much for coming to our talk on dark side striking back as black matter my name is lindsey k and i'm director of operational outcomes at recorded future um an insect group so i run our technical arm of our threat intelligence team so by trade i was a software engineer for many years before getting into reverse engineering and malware analysis and hi i'm james niven i'm a principal threat researcher also recorded future and previously to record future i did a lot of red teaming for offensive security and crowdstrike and it gave me a unique perspective into how operator how actors would actually work day-to-day awesome so before we get started we're

going to talk about a couple of high-level terms in case you're not super familiar with ransomware and ransomware operations so first ransomware is a service so at a very high level this is a program who's run by a group of people called administrators so they're responsible for creating the malware managing the infrastructure and other aspects of the actual program itself and people called affiliates or advertisers will obtain membership in the program in order to get access to it so they'll do so in a couple different ways so either by vouches or by paying for access and part of the benefit for an aspiring affiliate of joining a ras is actually being able to kind of have

that name recognition so you can imagine if you want to lock someone's net and you want them to pay having that name recognition that ensures that if they pay you they'll get the decryption key is good but also the rasp will take over some of the you know other aspects of it because you get access to a developer who can add new features do bug fixes other things like that some of the victim payment infrastructure different things like that so you don't have to do it on your own so next tools and ttps so very basically things that actors use at a technical level so you may hear things like malware malicious tools and then how

they actually use them so big game hunting so around 2019 instead of targeting individuals ransomware threat actors began actually targeting organizations largely because they have more of an ability and willingness to pay the ransom than those individuals and then finally the underground ecosystem so this is where one would buy and sell malware malicious tools and different kinds of access to organizations so we'll get into some of that later but that could include stolen credentials vpn rdp etc and then finally how threat actors can communicate with others so ransomware is a business and we're going to talk about a couple different aspects of what this business entails so first gaining access so how does a threat actor first gain access to a

target system or organization next acquiring data so how do they apply the data what does it include and then what can they do with it next buying and selling of tools and data so largely dark web marketplaces and shops and then finally things that they can acquire to enable operation and infrastructure aspects of the ransomware program i hand it over to james excellence so speaking of underground ecosystem and the way that they have ability to buy and sell things they've commoditized almost everything it can range from something small like netflix accounts credentials there or it can arrange up to uh initial access so pulse fortinet vpns logins for rdp sitting on the net and these are done by initial access

brokers so as she spoke to earlier ransomware can also be commoditized where you pay a certain amount of money to get into the program 0.1 bitcoin or something for instance for non-rat non-russian speakers um malware checkers steelers exploits brute forces for credentials all this is sold and hashed out in different programs so it can also range to c2 frameworks so cobalt strike for instance it's not necessarily paid for i mean it's not necessarily open source but you have cracked versions of it lying around and you have cna scripts or aggressor scripts which can make a lot of this stuff just one click you right click and you can cover roast an entire network so on the business of that this is

actually exploit this screenshot is black matter when they first arrived and this is the the country codes that they're looking for and the reason they choose these country codes is because those are the people that are most likely to pay we have cyber security and whatnot more mature companies will pay for that and they say that they don't want any access for medical or state institutions they want companies or networks that have over 100 million dollars worth of revenue and more or less they're looking for access here so there's two primary forums for russian-based ransomware it's exploiting xss and the way that it will typically work is if you see this post and you want

information on it doesn't make a lot of sense to respond to it right there because then law enforcement or another researcher just watching it is going to get privy to that and start hunting you so what you do is you send a private message to this but knowing that forms can be compromised you want to leave as much information out of that private message so you would create a one-time note like a priv note that would say i'm interested in this here's my talks or telegram account or jabber and then take all communication off that platform so even administrator or compromised the forums they would have no trace of it ex and once the colonial attack pipeline

attack happened everybody was really bearing down on those forums and just watching every single word so how do they hide uh ransomware actors are much like normal everyday red teamers they'll use things that are built into windows lol bins for instance mshta and ms build if you send an hda file it's essentially an html file and tell it to build code on the machine using.net framework ms build or csc you essentially build the payload on the victim machine and bypasses a lot of initial detections they will also use windows management tools so active directory they can do a lot of damage by having access to active directory uh tell all the machines to start updating and

looking for a specific file for instance the locker and sis login or netlogin directory on the domain controller everything can read it and it'll fire away at once common applications that are on a lot of networks slack and octa slack's a really good example give us two so if you have a password for a guest wi-fi it may be applicable to other things in the network that you could scan for and red team tools so sharp hound rubios cobalt strike those are all not all of them are open source but they're on github and they're very heavily documented and the actors will use them and not have any real issues with it and they can also customize it

so as we were speaking they innovate they this is an example of the real panel before they were shut down so this shows that revix at the bottom as their linux locker it shows all the changes with it and different architectures it applies to reveal 2.7 was not their last but it was the one right before their last update and it shows all the changes that happened to that in the entire time we tracked revolt they had about 15 versions of windows ransomware cool so why does this actually matter so revo was not kind of an anomaly right threat actors especially ransomware threat actors will keep innovating largely because they have to so first they are following security

trends so you might hear new vulnerabilities that are discovered if you ever read any sort of like it's in response reports to look at how other threat actors were caught what defenders are looking for any sort of new research that's coming out so if we have access to it consider the fact that they also do and they are learning from it so they'll read news articles research things that we publish ourselves so they are getting insights there and following those trends and often incorporating that into their own ransomware so like i said that they have access to a developer is part of the ransomware as a service program so this means new features that affiliates are requesting

or you know might be effective in helping get the companies to pay the ransom um different sort of optimizations because in a ransomware tech they want to encrypt as much as they can as fast as they can things like antivirus evasion and anti-reverse engineering techniques so make it harder for the defenders to catch you and then take it apart and figure out how to write effective detections for you and then bug fixes so if something is broken the developer will often fix it so what this means is that we really can't just use one approach to finding them and rooting them out so we often like to talk about tracking the different versions of their tools but

this can really change over time so 15 versions of ravels windows ransomware alone while not everything changed between versions this is something that does evolve over time we can't rely entirely on it infrastructure is something that is spun up and down so you can't really use that as sort of a long-term tracking thing necessarily and james talked a little bit about some of those common ttps and red team tools that they do use so you can leverage some of that but that really isn't the whole story as well so what we're going to do is we're going to talk through an irl example of how this happened at the mid to late part of last year

so looking specifically at how a ransomware threat actor rapidly evolved their software in response to several external factors like discovery by security researchers and some of the demand for new features in their malware so we're going to use black matter as an example and we actually discovered the group in july 2021 and shortly thereafter put out a technical deep dive on the malware the way we discovered black matter was it was right place right time but with some good knowledge so we're familiar with the colonial pipeline attack it caused a lot of issues at the pump got a lot of law enforcement focused right on dark side so darkseid really went into hiding some of their

people got caught and they backed down for a bit so with dark side out of the picture for now we still have reveal so rival has windows linux locker like we talked about in esxi locker so esxi locker is really really important because you can have all these magical tools for windows to protect windows host but if you host them all on esxi which has none of these cool tools and you lock the data store the entire network's locked so esxi is really really effective and so with all the pressure on dark side them going away re and this was time during the time of the us and russian talks about ransomware as a whole so

this screenshot on the bottom is actually uh from the rebel panel and it's from the administrator he says uh well previous to that he said no attacks on usa for two weeks until these talks are over this thing actually is addressing the jbs foods case so jbs foods the top one is from jbs foods to the fbi saying we got attacked by rival we're shut down we have a lot of issues so everyone said jbs foods is usa company it's not technically and that's what that post is saying it's jbs sa out of brazil um jbs foods usa does exist but it's a subset so they are arguing that they didn't attack a usa company so

this caused a lot of focus on reveal and started them to shut down we knew a lot of information about their actors and affiliates so using this knowledge communicating to them on talks and jabber and other services looking for an esxi locker is essentially how we landed on black matter so this is actually a black matters panel his first day you join you get all this information so it says we take the best features from rival dark side lock bit we've tested all our platform and our vulnerabilities to give you a little context darkside had the decryption issue in the past which we'll talk about later and there's talking about it uses on all the things it works on all the nas

devices linux esxi all the windows versions and go ahead so here you see on the left is dark side panel on the right is black matter panel pretty visually similar to them you'll have the way to do your different builds on the top right all the company victim information the bitcoin addresses you can see it's relatively the same panel cool so at the outset there were two versions that were released initially one for windows and one for linux and esxi so the windows ransomware did have some fairly extensive anti-reverse engineering and anti-analysis capabilities nothing insurmountable but definitely harder than average comparatively the linux and esxi one was very straightforward so it actually included function names that they did

not actually scrub from it and the configuration file which gives you kind of information about you know what it should do that a fed actors configured to do was de-obfuscated which made it substantially easier to reverse engineer so on the bottom right you can see examples of what those function names do and in case you're not a reverse engineer one of the things that's like really kind of just gold is when thread actors leave these things in because if you're trying to figure out what a function is doing it's really helpful to have the name with specific things such as get running vms so that really does help speed up some of the analysis there

and on the top you can see an example of the windows ransom note that it dropped so generally when we talk about tracking of threat actors tools there's a couple different things that we'll start to look for so really what you want to look for is something unusual or distinctive that that specific actor does so um some places that i generally like to look so first cryptographic routines so these can range in you know interesting kind of combinations of the cryptographic routines which we'll get into soon um or things that they implement custom so not true crypto but like string obfuscation uh routines and something like that um sometimes threat actors will roll their own and they'll

do it incorrectly and if it's something they do that is particularly distinctive you can also use that signature on so one example of black matter string decryption routine you can see in the top image we'll look at the key init function soon but this was something where they had strings were not in plain text they made it harder to reverse engineer by doing some light obfuscation to them but it was one of the elements of the first signature that we were able to write for them because it was unique so other obfuscation techniques that threat actors might use can also help you start tracking them especially again if they are unique so for example um we can look at some of

the call obfuscation that black matter used so on the bottom is a very normal kind of windows api call really how you would see it when you're reverse engineering it you can see call to the specific function black matter didn't do that so in order to make it harder to reverse engineer what they had was they had a magic value and then they'd xor that value with another value and then jump to that address in order to make the call so if you're doing static reverse engineering now you have to figure out where it is jumping to where in memory what's loaded there which complicates it substantially however this was another element of the signature that we were able to create

because this magic value appeared all throughout the code and it was something that was just baked in and pretty distinctive so again magic numbers very helpful especially if it's something that you know they derive on their own and nobody else is really using um and while black matter did not do this one of my personal favorites is misspellings so sometimes you'll see um you know error messages or log messages or you know file names mutex names different strings that are in the malware that they've misspelled and if it's particularly distinctive misspelling and it goes throughout versions they don't change it that can also be pretty useful so we put out a report in july and after we

released this report new versions of the windows ransomware started to appear so some of them were fairly simple changes such as that magic x or key started changing and then others were more complex so the addition of new features so one of the examples of how the string encryption actually changed so we talked about that key init function on the top was the very simplistic one that they used in their first version we put out a little python script to decode the strings and then several versions later we actually noticed the encryption key initialization for the uh string obfuscation change substantially became substantially more complex and you can see that on the bottom ultimately we never actually saw another

version of the linux and esxi ransomware not entirely sure why but there you go and ultimately between july 2021 and september 2021 we saw them release six different versions of their ransomware um version numbers 1.2 to 3.0 so let's talk a little bit about some of those feature editions so we'll get into some of these but things like printing the ransomware note on local printers to add some excitement i guess when you encrypt encrypting additional file types so adding that support as well letting the threat actor identify specific computers not to encrypt so on the right you can see an example of kind of the build panel where you can configure it and say you know what kinds

of folders to white lists files different things like that so you could identify which computers to avoid um the implementation of their cryptographic algorithm and then looking for large files and encrypting them differently so in a ransomware attack time is of the essence for the thread actor because they want to encrypt everything as fast as possible so that the victim can't you know stop it midway and they really have kind of maximum impact so being able to encrypt large files you'll sometimes see thread actors encrypt only pieces of them add increments whatever to just make them so that they're not usable but not waste any time in getting as much damage as quickly as possible

so let's look at a couple of the uh specific features so between versions 1.6 and 2.0 we saw them modify some of their printing print the ransomware note to printers function here's an example so on the left in versions 1.6 to 1.9 we saw them just say print anything as long as the printer isn't named pdf because that's a virtual printer but over time um they actually evolved this to say ignoring pdf and then some additional virtual printers so kind of another interesting element of their obfuscation you can see instead of looking for the specific names they take a hash of the name to make it just a little bit more complicated it's custom hatching algorithm

we talked a little bit about encrypting different kinds of files so on the left you can see they add the ability first to encrypt microsoft exchange files um that's kind of how they did it and then they added the capability to handle the large ones differently so we talked a little bit about why there's a point to that um so what they do is they check for different extensions and then behave differently accordingly so you may remember mzsoft actually came out with a decrypter for black matter ransomware that said victims do not have to purchase the cryptokey to decrypt and they can still decrypt their ransomware which suggests that there is some kind of cryptographic

issue so the threat actor supposedly fixed the issue in about late september 2021 um we can't really speak to the specific cryptographic issue at hand here but um you can kind of see some evolution in how at least the key initialization code um came between the different versions so there are other kind of changes in the other crypto code but we won't get into those so you can see version 1.2 2.0 and 3.0 kind of stacked right there won't necessarily get into that but it is interesting to see sort of like how they make those little changes especially if there was a bug so we talked a little bit about the overlap between darkseid and black matter

so other researchers actually suggested that looking at how the kind of cryptographic key material was generated so using the custom salsa 20 matrix that had previously been originally unique to dark side so we talked about like unique and interesting crypto was now something that they were observing a very similar um cryptographic routine in black matter so what this looks like between them so you can see the random buffer initialization for black matter for dark side on the top followed by the rsa 1024 encryption and then you can see black matter's implementation on the bottom so not entirely you know exactly the same but you do see some similarities so slight difference in how they actually did the generation of the

random buffer but semantically it's pretty similar so that's what the researchers are pointing out we just want to give an example of that so i'm going to hand it back over to james to talk about the end thanks so dark side had the colonial plaque plant attack they messed up on that a little too high profile for them they also have the decryption issues which we didn't talk about specifically but with black matter we did so they've had decryption issues for black matter as well they hit a agricultural entity really heavily that caused a lot of issues and the security researchers jumped into that chat and just took over it and they couldn't differentiate between victim and

researcher and just had had they're really flustered at the time so they've made critical mistakes and they just announced that they're done with it they're shutting down so this is actually the panel saying in 48 hours we're gone we're gonna hand out decryption keys so it sounds like it's the end of black matter but it's not so this is actually an interview by one of our colleagues that reaches out to another ransomware called alpha and it he they basically admitted to it so if you read through it it will say that with the victim chats having issues and not being able to tell between victim and impersonator and the decryption issues this caused us to shut down and then we see another

actor lock bit say this is black matter doing a rebranding so what that what black matter did was they they were mad they just fired the entire dev team for the locker and we'll show so this right here this is alpha and this is basically the intro to their their new ransomware project and it says we have esi lockers you get a certain percentage of cut they completely redid the locker wrote it in rust lots of new fancy features they made it specific so if you capture a ransom note on virustotal you can't actually do anything with it because you have to have a specific access code to be able to visit the victim panel they rewrote

the entire panel itself they added a lot of features new support tools new faqs built-in mixers they're actually working on another thing called morph which allows uh real near real-time de-oper obfuscation of the locker itself to bypass some signatures so they're still around so as probably defenders uh we're probably asking what is it now that we do because it seems like they spin up they spin down they rebrand they join new programs so what is it that we can do so one of the things i want to underscore is that in order to successfully find malicious thought actors um after they kind of disappear um it really does require a very multifaceted approach so not only the

technical skills and signatures and things like that but also subject matter experts who know kind of how to find them and what to start looking for um also detections like you know i have to mention that so looking for things like those commonly used tools and ttps so things like cobalt strike will remain eternally popular with abts and ransomware threat actors and it's very easy to get so while that won't completely solve the problem being able to detect these sort of malicious tools and their use does get you you know some of the way um looking for also the latest threats so things like pre-ransomware tools or new open source technology and tools is really important um like i said they

they can read the same things that we see like they look at github if they find new tools that they like and you know help them accomplish their goals they're probably going to use them so keeping abreast of like what is going on now what people are releasing and then what could be useful is also important um you know kind of very well known detection types so things like yara sigma and snort uh wherever possible to be able to track either you know from a defensive perspective or if you like to threat hunt or look for malware to take apart um can help you start finding these specific or threat actors specific tools like some of what we

talked about other ioc fees as well are super useful so known command and control servers malicious hashes things like that um and then we all talk a lot about logging and turning on logging but making sure that the logs capture exactly what you think they should so that in the event that something does in fact happen you're able to get the information that you expect and would probably need to figure out you know what happened in case you weren't able to stop it um doing things like implementing common security measures so account pruning strong passwords etc active directory james talked a little bit about you know having access to active directory is pretty powerful so

making sure you're doing cleanup disabling legacy objects and then implementing best practices there and then finally consider using multi-factor authentication for things like remote access services like rdp and citrix so these are still popular with ransomware threat actors and they will take advantage of them so with that are there any questions

well it doesn't really come as a whole package it all depends on what you're looking for if it's a so if you're if you have access to a whole bunch of compromised machines and you want to buy information stealer it costs very little because all you're essentially doing is buying access to the panel you're generating the builder and then you're sending it to the networks you already own um so it could be a few hundred bucks a month maybe less it all depends on usage and how much you want to get access to so what's the actual like themselves so they're free all these are free yeah yeah so what they do is basically if you

join as an affiliate they have a core set of administrators the people inside these groups don't know who each other are there are certain subsets so the administrators know themselves most of them personally this small subset so let's say for instance you joined and you were the one to own the keys if you have that guy that guy and that guy that don't know each other in real life but you know enough to work and get a network they're not going to know any of that and other teams will know that as well it's only just who you have so the more depth you compromise and more successful payments you have depends on the cut so initially so for alpha it's

since they just started it was ninety percent so ninety percent goes to you your team to be out how you want and then ten percent goes to the administrator for building additional functions paying buy new cars whatever it is and you'll see a lot of it go like that if you don't do well you can either get kicked out of the group or kick down to 80 75 but they want as many people as she said they're advertisers that's how they view themselves by locking a network you're advertising for them so

um

right

yeah so there actually was uh innocence agreeable with that and there was so when you have access these panels normally if it's a really good victim and you are if you're an affiliate that don't doesn't feel comfortable talking to a victim you can just say i want administrators to handle all the communication get the payment and then send it to me so they and they can even ask questions so the administrator if you're an affiliate and you block this network the administrator wants to know all these things he wants to know the zoom info revenue he wants to know what they are as long as they're not a hospital because like after the dark side incidents they put up different

rule sets like don't block hospitals don't log oil pipelines so they moderate it before you can even lock it there's mistakes always but they'll also um i just lost traffic a lot that what was your question sorry yes so they have the ability to already see all those chats right and there are cases of where they will jump into those chats and take over uh there's a whole big i think there's a few threads on it on exploit about uh signature that was saying how they stole all this millions of dollars of money through that back door using keys that were built into the locker itself so they do there's no honor model they use and they do

actually hijack each other

these guys are still doing it years later like at first the rants start they're just new but they'll learn but they're still doing it so is it is this to avoid detection or is there some other research i mean it's honestly hard to say why right so having the something that you know will avoid detection right that's great or maybe like oh hey it's this cool new thing so it really is hard to say why they do it obviously like they shouldn't right because mistakes do happen and then it's like you know bad for business if you're not actually having to like sell the key to kind of get it deprived so in terms of like the actual kind of

locker would not roll their own in terms of why they do custom crypto through a lot of the string type stuff so their job is to slow people like me down like make it harder for me to figure out what the hell is going on with their ransomware or understand what's going on or write those detections so having those unique string kind of obfuscation crypto algorithms having any sort of unique obfuscation yeah it takes longer to do

as long as they protect the key yeah i mean in terms of the kind of like actual hardcore like crypto to actually you know encrypt the files yes absolutely the string encryption stuff like that's never really like real encryption that doesn't actually matter so there are those kind of like two parts of it but like yeah they should totally use actual crypto with the protected key that's proven but the second question is on the key generation itself um

inputs so i'm not a deep crypto expert um you might have to ask one of them

so i would say logging would be more useful for um you know figuring out what they had access to what they could have accessed um you know exfiltrated did they have any network connectivity did they exfiltrate anything so it's really more of the like oh something has happened what did happen you know did they query any databases things like that if it makes sense i can actually add to your first question a little bit for an example they do it so we said that they're advertisers as they like to put it lockment if you go to their site on their public blog they say we're the fastest locker out there and it's because they only do a certain amount of uh locking

per file so of course you're the fastest if you only lock a megabyte worth of data and then the second aspect to that is you have to realize who these people are a lot of them are extremely arrogant they drive fast cars have a lot of retail or real estate they're they think they are better than you they think that your best practices are you're sitting at a nine to five practices but they can do better than you so they feel confident in rolling that well they want fast and sick while they just use tonight why do they walk corporations

that if you know the playing text that crypto file and the number wouldn't know what it was it is also easier to break into a bible in your own party some of the research

anybody else all right say nothing thank you guys so much [Applause]