This article has been indexed from CircleID: Cybercrime
On 14 May 2021, Analyst1 security researchers released a detailed report on the DarkSide cybercriminal gang, which is believed to be responsible for ransomware attacks targeting the Colonial Pipeline. Part of the report was several indicators of compromise (IoCs), specifically 41 malware hashes, two domains, and three IP addresses.
Using these as our starting point, we sought to uncover more artifacts that could be related to the cyber attack. The next section shows our findings.
Hash Connections
Subjecting the hashes to VirusTotal searches provided a list of three additional malicious domains, two malicious subdomains, and seven malicious IP addresses, which include:
- catsdegree[.]com
- rumahsia[.]com
- temisleyes[.]com
- isrg[.]trustid[.]ocsp[.]identrust.com
- r3[.]o[.]lencr[.]org
- 185[.]105[.]109[.]19
- 198[.]54[.]117[.]200
- 198[.]54[.]117[.]198
- 198[.]54[.]117[.]199
- 110[.]110[.]110[.]1
- 198[.]54[.]117[.]197
- 72[.]21[.]81[.]240
Domain Connections
Querying the additional domains above on a DNS lookup tool gave us an additional six IP addresses, namely:
- 72[.]52[.]178[.]23
- 99[.]83[.]154[.]118
- 23[.]38[.]189[.]235
- 23[.]38[.]189[.]144
- 23[.]63[.]111[.]217
- 23[.]63[.]111[.]227
While none of these are currently tagged “malicious” on VirusTotal, the systems that they identify may be worth monitoring as the IP addresses resolve to the additional malicious domains we identified. Blocking their access to networks may also be advisable.
IP Address Connections
We also discovered from running reverse IP/DNS searches on the seven additional malicious IP addresses that one address (185[.]105[.]109[.]19) is connected to at least 300 other domains. While this is indicative of a shared infrastructure, that may also be worth monitoring.
In fact, many of these domains featured seemingly random alphanumeric combinations that may be indicative of illegitimacy or that they don’t belong to a valid company. The connected domains 000cryptscchb4nlamabenioc[.]xyz and 0011ucdt6e[.]com are tagged “suspicious” on VirusTotal, and there could be more. The related domain 002he
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: More from DarkSide? We Ran an Analysis of Additional Identified Artifacts
