ShadowSyndicate group (formerly known as Infra Storm) has been suspected of deploying seven different ransomware families in a series of attacks that have spanned the past year.
Security researchers from Group-IB, working in conjunction with Bridewell and independent researcher Michael Koczwara, exposed the clandestine operations of the threat actor.
Their findings point to ShadowSyndicate’s involvement in deploying ransomware strains like Quantum, Nokoyawa, BlackCat/ALPHV, Clop, Royal, Cactus, and Play, which have been observed wreaking havoc in multiple breaches since July 2022.
While ShadowSyndicate’s exact role remains somewhat mysterious, researchers believe it may serve as an initial access broker (IAB). Yet, evidence also suggests that it operates as an affiliate of multiple ransomware operations.
The lynchpin of this revelation was the identification of a distinct SSH fingerprint on 85 IP servers. These servers, predominantly called Cobalt Strike command and control systems, served as the epicentre of ShadowSyndicate’s malevolent activities.
The discovery of the SSH fingerprint dates back to July 16, 2022, and was active till August 2023.
ShadowSyndicate’s main weapons
The researchers deployed an arsenal of investigative tools, including Shodan and Censys discovery engines, and harnessed various open-source intelligence (OSNIT) techniques. This comprehensive approach unveiled a sprawling footprint of ShadowSyndicate’s activity.
Of particular note was identifying eight different Cobalt Strike watermarks (license keys) on the compromised servers. These Cobalt Strike servers acted as conduits for communicating with a range of ransomware strains, including Cactus, Royal, Quantum, Nokoyawa, Play, Clop, and BlackCat/ALPHV, all of which had been deployed across various victim networks.
Moreover, Cobalt Strike configurations were discovered on two servers, with one of them featuring the telltale ShadowSyndicate SSH fingerprint.
In some instances, ShadowSyndicate veered from its typical modus operandi, using the Silver generation tool as an alternative to Cobalt Strike.
The group’s toolkit extended further to include the IcedID malware loader, Matanbuchus MaaS loader, and the Meterpreter Metasploit payload.
Server analysis
ShadowSyndicate’s fingerprints were found on 85 servers. These servers were connected to 18 different owners, featured 22 network names, and were scattered across 13 different locations.
Delving deeper into the analysis, the researchers scrutinised Cobalt Strike command and control parameters, such as detection dates, watermarks, and sleep time settings. This revealed compelling evidence linking ShadowSyndicate to Quantum, Nokoyawa, and ALPHV/BlackCat ransomware.
Specifically, the servers were tracked back to a Quantum attack from September 2022, three Nokoyawa attacks spanning Q4 2022 and April 2023, and an ALPHV attack in February 2023.
While there was less conclusive evidence connecting ShadowSyndicate to Ryuk, Conti, Trickbot, Royal, Clop, and Play malware operations, the researchers did unearth a noteworthy link in the case of Clop.
The report indicated that at least 12 IP addresses, formerly associated with notorious ransomware operators, had been transferred to ShadowSyndicate since August 2022 and were now repurposed for Cobalt Strike. Nevertheless, establishing a high-confidence direct link between ShadowSyndicate and Clop remains an ongoing challenge.
Role as an affiliate
In their assessment, Group-IB’s intelligence experts suggest that ShadowSyndicate likely functions as an affiliate collaborating with various ransomware-as-a-service (RaaS) operations.
However, this is just a theory, and the researchers need more proof to substantiate this theory.
“Although we have not reached a final verdict, all the facts obtained during this joint research project suggest that the most plausible assumption is that ShadowSyndicate is an affiliate working with various RaaS,” said Group-IB.
In the News: OpenAI brings image and voice integration to ChatGPT