Different servers with ShadowSyndicate’s SSH fingerprint had been used as C2 servers for Sliver, an open-source penetration testing software written in Go; for IcedID, a Trojan that has been used as malware dropped by a number of ransomware gangs lately; for Meterpreter, the implant from the Metasploit penetration testing framework; and for Matanbuchus, a Malware-as-a-Service (MaaS) loader that may also be used to deploy payloads.
Actually, there may even be a connection between a few of these. For instance, IcedID has been used to deploy Cobalt Strike implants earlier than. It has additionally been utilized in reference to the Karakurt, RansomEXX, Black Basta, Nokoyawa, Quantum, REvil, Xingteam, and Conti ransomware households.
A profitable ransomware affiliate
The researchers stated they’re pretty assured that ShadowSyndicate is just not a internet hosting service as a result of the servers had been positioned in 13 completely different nations — with Panama being the favourite — and throughout completely different networks belonging to completely different organizations.
The researchers have discovered sturdy connections between ShadowSyndicate and assaults with Quantum (September 2022), Nokoyawa (October 2022, November 2022, and March 2023) and ALPHV (aka BlackCat) ransomware in February 2023. Weaker connections had been discovered with Royal, Cl0p and Play ransomware.
“Whereas checking Record A servers utilizing Group-IB knowledge sources, we established that some servers had been mapped as Ryuk, Conti, and Trickbot,” the researchers stated. “Nonetheless, these legal teams not exist. Ryuk ceased to exist on the finish of 2021, whereas Conti and Trickbot (that are linked) went dormant firstly of 2022. Researchers consider that former members of those teams could possibly be persevering with with their legal exercise utilizing the identical infrastructure, however they may now function individually or in different legal teams.”
There’s a risk that ShadowSyndicate is an preliminary entry dealer, a sort of menace actor that compromises programs and sells the entry gained to different cybercriminals, together with ransomware gangs. Nonetheless, the researchers consider it’s extra probably that the group is definitely an impartial affiliate working for a number of RaaS operations.
