More from DarkSide? We Ran an Analysis of Additional Identified Artifacts

This article has been indexed from CircleID: Cybercrime

On 14 May 2021, Analyst1 security researchers released a detailed report on the DarkSide cybercriminal gang, which is believed to be responsible for ransomware attacks targeting the Colonial Pipeline. Part of the report was several indicators of compromise (IoCs), specifically 41 malware hashes, two domains, and three IP addresses.

Using these as our starting point, we sought to uncover more artifacts that could be related to the cyber attack. The next section shows our findings.

Hash Connections

Subjecting the hashes to VirusTotal searches provided a list of three additional malicious domains, two malicious subdomains, and seven malicious IP addresses, which include:

catsdegree[.]comrumahsia[.]comtemisleyes[.]comisrg[.]trustid[.]ocsp[.]identrust.comr3[.]o[.]lencr[.]org185[.]105[.]109[.]19198[.]54[.]117[.]200198[.]54[.]117[.]198198[.]54[.]117[.]199110[.]110[.]110[.]1198[.]54[.]117[.]19772[.]21[.]81[.]240

Domain Connections

Querying the additional domains above on a DNS lookup tool gave us an additional six IP addresses, namely:

72[.]52[.]178[.]2399[.]83[.]154[.]11823[.]38[.]189[.]23523[.]38[.]189[.]14423[.]63[.]111[.]21723[.]63[.]111[.]227

While none of these are currently tagged “malicious” on VirusTotal, the systems that they identify may be worth monitoring as the IP addresses resolve to the additional malicious domains we identified. Blocking their access to networks may also be advisable.

IP Address Connections

We also discovered from running reverse IP/DNS searches on the seven additional malicious IP addresses that one address (185[.]105[.]109[.]19) is connected to at least 300 other domains. While this is indicative of a shared infrastructure, that may also be worth monitoring.

Read the original article: More from DarkSide? We Ran an Analysis of Additional Identified Artifacts