External Blogs

CARBON SPIDER Embraces Big Game Hunting, Part 2

In 2020, CARBON SPIDER began conducting big game hunting (BGH) ransomware campaigns with PINCHY SPIDER’s REvil before introducing Darkside. The adversary later opened up Darkside to affiliates through a ransomware-as-a-service (RaaS) program, allowing other actors to use the ransomware while paying CARBON SPIDER a portion of the received ransom.

The first part of this two-part blog series explored CARBON SPIDER’s initial BGH campaigns in depth. This blog discusses the Darkside ransomware incident at U.S. oil pipeline system Colonial Pipeline in May 2021 and how CARBON SPIDER responded to fallout from this event. Despite the termination of the Darkside program, the adversary continued malware distribution campaigns and subsequently introduced the BlackMatter RaaS. Due to numerous technical overlaps with Darkside, BlackMatter is attributed to CARBON SPIDER.

CARBON SPIDER Embraces Big Game Hunting, Part 1

Throughout 2020, CARBON SPIDER dramatically overhauled their operations. In April 2020, the adversary abruptly shifted from narrow campaigns focused entirely on companies operating point-of-sale (POS) devices to broad, indiscriminate operations that attempted to infect very many victims across all sectors. The goal of these campaigns was to conduct big game hunting (BGH) operations using PINCHY SPIDER’s REvil ransomware.

CARBON SPIDER deepened their commitment to BGH in August 2020 by using their own ransomware, Darkside. In November 2020, the adversary took another step into the world of BGH by establishing a ransomware-as-a-service (RaaS) affiliate program for Darkside, allowing other actors to use the ransomware while paying CARBON SPIDER a portion of the ransom received.

Part One of this two-part blog series details how CrowdStrike Intelligence attributed Darkside to CARBON SPIDER. Part Two will look at CARBON SPIDER’s re-emergence after the Colonial Pipeline attack, which led to the shutdown of Darkside RaaS and the creation of BlackMatter RaaS.

Double Trouble: Ransomware with Data Leak Extortion

The most prominent eCrime trend observed so far in 2020 is big game hunting (BGH) actors stealing and leaking victim data in order to force ransom payments and, in some cases, demand two ransoms. Data extortion is not a new tactic for criminal adversaries; however, when BGH operations don’t result in payment, victims now face a double-headed threat of ensuring their data does not make it into the hands of others.

Ransom Where? Malicious Cryptocurrency Miners Takeover, Generating Millions

The threat landscape is constantly changing; over the last few years malware threat vectors, methods and payloads have rapidly evolved. Recently, as cryptocurrency values have exploded, mining related attacks have emerged as a primary interest for many attackers who are beginning to recognize that they can realize all of the financial upside of previous attacks, like ransomware, without needing to actually engage the victim and without the extraneous law enforcement attention that comes with ransomware attacks.

FIN7 Group Uses JavaScript and Stealer DLL Variant in New Attacks

In this blog post we detailed a newly discovered RTF document family that is being leveraged by the FIN7 group (also known as the Carbanak gang) which is a financially-motivated group targeting the financial, hospitality, and medical industries. This document is used in phishing campaigns to execute a series of scripting languages containing multiple obfuscation mechanisms and advanced techniques to bypass traditional security mechanisms.

CryptXXX Technical Deep Dive

Analysis of the CryptXXX in which I found cryptographic flaws which allowed its decryption based on an insecure seed value.

H1N1: Technical analysis reveals new capabilities

Two part blog on the H1N1 malware.