Different servers with ShadowSyndicate’s SSH fingerprint have been used as C2 servers for Sliver, an open-source penetration testing software written in Go; for IcedID, a Trojan that has been used as malware dropped by a number of ransomware gangs in recent times; for Meterpreter, the implant from the Metasploit penetration testing framework; and for Matanbuchus, a Malware-as-a-Service (MaaS) loader that may also be used to deploy payloads.
In actual fact, there may even be a connection between a few of these. For instance, IcedID has been used to deploy Cobalt Strike implants earlier than. It has additionally been utilized in reference to the Karakurt, RansomEXX, Black Basta, Nokoyawa, Quantum, REvil, Xingteam, and Conti ransomware households.
A profitable ransomware affiliate
The researchers mentioned they’re pretty assured that ShadowSyndicate is just not a internet hosting service as a result of the servers have been situated in 13 completely different nations — with Panama being the favourite — and throughout completely different networks belonging to completely different organizations.
The researchers have discovered robust connections between ShadowSyndicate and assaults with Quantum (September 2022), Nokoyawa (October 2022, November 2022, and March 2023) and ALPHV (aka BlackCat) ransomware in February 2023. Weaker connections have been discovered with Royal, Cl0p and Play ransomware.
“Whereas checking Checklist A servers utilizing Group-IB information sources, we established that some servers have been mapped as Ryuk, Conti, and Trickbot,” the researchers mentioned. “Nonetheless, these legal teams not exist. Ryuk ceased to exist on the finish of 2021, whereas Conti and Trickbot (that are linked) went dormant initially of 2022. Researchers consider that former members of those teams could possibly be persevering with with their legal exercise utilizing the identical infrastructure, however they could now function individually or in different legal teams.”
There’s a chance that ShadowSyndicate is an preliminary entry dealer, a sort of menace actor that compromises methods and sells the entry gained to different cybercriminals, together with ransomware gangs. Nonetheless, the researchers consider it’s extra seemingly that the group is definitely an unbiased affiliate working for a number of RaaS operations.