Deep Drive into Darkside Ransomware



The cyberattack recently threatened the entire US fuel supply infrastructure and demanded a huge Ransome. A Colonial pipeline that supplies fuel to the US’s east coast area over 5,500 miles long and can carry 3 million barrels of fuel per day between Texas and New York. It is operated by Colonial Pipeline Company, which is headquartered in Alpharetta, Georgia.

Attacker targeted the unpatched Vulnerability and successfully exploited the entire infrastructure and made the function offline.

Ransomware are became the new trend of 2021, its been more usual for attacker to leverage the infrastructure and encrypt it and demand huge amount of Ransom according to the recent statistic by Check Point research 

“The ransomware attacks around the globe have gone up by 102 percent in 2021 compared to 2020. Further, the statistics reveal that India is the most impacted country with 213 weekly ransomware attacks per organization which is 17 percent up from the beginning of the year.”

Who Are Darkside

An unidentified East European-based hacker group who typically provides RAAS [Ransomware As A Service] It has been officially started in Aug 2020, A group that has taken responsibility for the recent Colonial Pipeline attack and demanded nearly $90 million in bitcoin.


The attacker who actively exploited the below listed to CVE to successfully intrusion within

  1. CVE-2019-5544

OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the severity of this issue to be in the Critical severity range with maximum CVSSv3 base score of 9.4.

  1. CVE-2020-3992

OpenSLP as used in VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202010401-SG, 6.5 before ESXi650-202010401-SG) has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.


Att&ck Technique

The below listed technique are been observed during the attack

Initial access : 

  1. Phishing
  2. External Remote Access


  1. Cobalt strike
  2. PSExec
  3. SystemBC

Defence Evasion:

  1. Powertool64
  2. PCHunter
  3. GMER


  1. ADRecon
  2. ADFind
  3. NetScan
  4. IP Scanner


  1. Windows\sys32\net.exe
  2. GPO
  3. Scheduled Tasks

Lateral movement:

  1. PSExec
  2. RDP
  3. SSH


  2. puTTy
  3. Rclone
  4. 7zip:


  1. Wwife[.]exe [Ransomeware]
  2. azure_update[.]exe

Command & Control:

  1. Plink
  2. AnyDesk
  3. Combalt Stike



173.234.155[.]208Login Source


Ngrok Utility

81.91.177[.]54 :7234Remote Access
koliz[.]xyzFile Hosting
los-web[.]xyzEMPIRE C2
sol-doc[.]xyzMalicious Infrastructure
hxxp://sol-doc[.]xyz/sol/ID-482875588Downloader URL
6c9cda97d945ffb1b63fd6aabcb6e1a8Downloader LNK
7c8553c74c135d6e91736291c8558ea8VBS Launcher
104.193.252[.]197:443BEACON C2
162.244.81[.]253:443BEACON C2
185.180.197[.]86:443BEACON C2
athaliaoriginals[.]comBEACON C2
lagrom[.]comBEACON C2
ctxinit.azureedge[.]netBEACON C2
45.77.64[.]111Login Source
181ab725468cc1a8f28883a95034e17dBEACON Sample


Previous articleWhat is Mitre Shield? Active Defense for advanced attacks
Next articleRed canary AtomicTest Harnesses – Tool for Mitre attack Execution
A Cyber Security Aspirant Security Researcher | Red-Teamer |


Please enter your comment!
Please enter your name here