17 June 2021

DarkSide affiliates shift to software supply chain attacks


DarkSide affiliates shift to software supply chain attacks

A hacker group, believed to be one of the affiliates of the DarkSide ransomware group, targeted at least one victim via malicious software installer downloaded from a legitimate website, Mandiant revealed.

Tracked as UNC2465, the group has compromised the website of a CCTV camera vendor and planted malware in the Dahua SmartPSS Windows app, a software to manage security surveillance devices, that the company provided to its customers. The CCTV camera vendor’s website was breached on May 18, and the intrusion lasted until early June when the malware was detected, Mandiant said.

According to the researchers, UNC2465 likely trojanized two software install packages on a CCTV security camera provider website and gained access to potential victims through an unsuspecting user in the affected organization who accessed the malicious link and downloaded the ZIP file.

“Upon installing the software, a chain of downloads and scripts were executed, leading to SMOKEDHAM and later NGROK on the victim’s computer. Additional malware use such as BEACON, and lateral movement also occurred. Mandiant believes the Trojanized software was available from May 18, 2021, through June 8, 2021,” Mandiant explained.

The security firm linked the breach of the CCTV vendor’s official website to UNC2465 based on the use of SMOKEDHAM, a backdoor trojan that previously was observed only in the UNC2465 attacks.

While the ransomware was not involved in this case, Mandiant believes that “affiliate groups that have conducted DarkSide intrusions may use multiple ransomware affiliate programs and can switch between them at will.”

“Ransomware groups continue to adapt and pursue opportunistic access to victims. UNC2465’s move from drive-by attacks on website visitors or phishing emails to this software supply chain attack shows a concerning shift that presents new challenges for detection,” the company said.

“While many organizations are now focusing more on perimeter defenses and two-factor authentication after recent public examples of password reuse or VPN appliance exploitation, monitoring on endpoints is often overlooked or left to traditional antivirus. A well-rounded security program is essential to mitigate risk from sophisticated groups such as UNC2465 as they continue to adapt to a changing security landscape.”


Back to the list

Latest Posts

Iranian hackers masqueraded as aerobics instructor to breach US defence company

Iranian hackers masqueraded as aerobics instructor to breach US defence company

The threat actor used alluring social media persona to infect the machine of an employee of the US aerospace defense contractor with the LEMPO malware.
29 July 2021
US, UK and Australia reveal most targeted vulnerabilities in the last two years

US, UK and Australia reveal most targeted vulnerabilities in the last two years

CVE-2019-19781 was the most exploited flaw in 2020.
29 July 2021
Chinese cyberspies target Microsoft Exchange servers with new PlugX variant

Chinese cyberspies target Microsoft Exchange servers with new PlugX variant

The latest version of PlugX has a variety of plug-ins that allow hackers to monitor, update and interact with the compromised system.
29 July 2021