Threat hunting encompasses a range of techniques and approaches aimed at discovering anomalies, threats, and risks associated with attacker activities. In the early days, log review by diligent system administrators was how these anomalies were detected, usually after the fact. This evolved into more structured methodologies created by security experts that attempted to identify these activities in real time. In present day security operations, threat hunting initiatives have become a standard part of mature security programs, but few organizations have managed to establish the expertise and methodology to conduct these types of hunts with internal resources.

In this series, we will take a look at the components that make up well-known threat hunting methodologies, the evolution that reflects the growing need to proactively seek out and mitigate security threats rather than solely relying on reactive, manual measures, and some new adaptive approaches to conducting automated, wide ranging hunt capabilities.

Threat hunting, after all, involves implementing innovative methods of continuous monitoring and analysis of real-world activities to uncover hidden threats, making it an essential aspect of modern cybersecurity that should leverage every aspect of process, technology, and people available to defenders.

Traditional Methodologies

The approach advocated by threat hunting pioneers in the last decade emphasizes proactive cybersecurity practices. It involves the systematic and continuous search for hidden threats and anomalies within an organization’s environment, aiming to detect and mitigate potential breaches before they can cause damage.

In most cybersecurity practices, a robust approach involves utilizing a range of advanced tools. These tools encompass intrusion detection systems (IDS), Security Information and Event Management (SIEM) platforms, Endpoint Protection, Detection, & Response platforms (EPP/EDR), as well as threat intelligence feeds and security service providers. However, the effective application of these tools and services requires the expertise of seasoned cybersecurity professionals and highly tuned, effective tooling.

Experience allows security teams to leverage their knowledge, intuition, and subject matter expertise to interpret data and discern nuanced threats within logs, packets, flows, and trace activities. Some key elements found in traditional methodologies which deliver acceptable results but need to be constantly revisited and enhanced include:

• Structured Methodology: important for identifying anomalies and potential threats in network traffic, endpoint telemetry, and system logs.
• Continuous Monitoring: Real-time monitoring of network and system activities to detect suspicious or unusual behavior (security monitoring).
• Hypothesis-Driven Analysis: Develop hypotheses about potential threats based on known attack patterns, trends, or indicators, then investigate these hypotheses to confirm or refute their suspicions (threat modeling).
• Data Analysis: Scrutinizing large volumes of data, including network traffic logs, system logs, security controls’ logs, and other relevant data sources, to uncover indicators of compromise (analysis at scale).
• Configuration analysis: Hunting for misconfigured devices, including incorrect policies, overreaching access, endpoints without installed security controls, etc. (system hardening).
• Internal hunting: Identifying sensitive data, misconfigurations, plain text passwords, tokens stored or passed inappropriately, unauthorized access to critical systems, and abuse of user identities and service accounts (insider and environmental threats).
• External hunting: Focused on identifying instances of data, credentials leaks  and/or malware/hacking discovery using third party services such as VirusTotal, Shodan, Dark Web searches, and external surface scanning (external threat).

A crucial aspect of being successful in cybersecurity is the team’s adaptability to the ever-evolving threat landscapes. Security teams must consistently refine their methodologies and remain updated on emerging threats and evolving attack techniques.

Equally important is fostering collaboration among various security teams, including network security, incident response, SOC/SOAR, vulnerability management, and threat intelligence teams. By sharing insights and findings, these teams collectively enhance their ability to protect against cyber threats effectively.

On the Hunt | SolarWinds SERV-U Vulnerability

Thanks to our WatchTower threat hunting team we can see an example of valuable threat hunting based on traditional methodologies when we take a look at the timeline and story of how exploiting the SolarWinds SERV-U Vulnerability was proven to be connected to the download, decryption, and execution of Cobalt Strike. This proves that a structured methodology supported with data analysis at scale and focused threat hunting can be successful in identifying exploitation of known vulnerabilities with traditional attack methods.

1. In July 2021, SolarWinds released an advisory on Serv-U version 15.2.3. Microsoft stated that this CVE was used in limited, targeted attacks. After just a few days CISA also released an advisory that this vulnerability may allow a remote attacker to take control of an infected system even though it had not been identified performing such activities in the wild.

   

2. Using Deep Visibility queries and Vigilance MDR analyst investigation, the SentinelOne WatchTower threat hunting team spotted abuse of the Solarwinds Serv-U vulnerability in an educational institution exhibiting anomalous behaviors such as spawning unusual child processes.
   
3. The vulnerable Serv-U secure FTP launched the command prompt and powershell interface to connect to a remote C2 IP of http://179[.]60[.]150[.]32/login. The C2 IP address was live and served the next level of encoded commands as of August 26, to further decrypt and execute Cobalt Strike in memory.
   
4. The SentinelOne Agent successfully blocked and mitigated this attack before it could infect the target machine. Afterwards, it kicked off remediation and patching activities that likely should have been performed before the vulnerability was ever exploited.
5. The idea is that a modern futuristic paradigm to threat hunting should get ahead of these types of threats and show attempts before they are able to get even this far.

Modern Futuristic Paradigm

The vision of a modern and futuristic threat hunting paradigm involves leveraging advanced technologies and methodologies to enhance security operations and stay ahead of cyber threats. In this paradigm, threat hunting becomes a central focus of Security Operations Centers (SOCs) augmented by service providers and threat experts. Internal and external teams continually conduct research on known and emerging threats, vulnerabilities, and attack techniques for attribution and correlation. This research is then operationalized to proactively identify potential threats and vulnerabilities within an organization’s environment.

Automation plays a pivotal role in this vision. Routine and repetitive tasks are automated to free up security analysts’ time for more strategic activities. Automation can include the automatic collection and analysis of threat intelligence, the correlation of security events, extraction of indicators of compromise (IoCs), and the orchestration of incident response workflows.

Adapting to Changing Security Threats

Adaptive threat hunting is a dynamic approach to proactive anomaly discovery that evolves alongside the ever-changing threat landscape. It recognizes that threats can emerge from various sources, and it goes beyond traditional threat hunting by incorporating offensive inputs, novel research, and a range of hunting strategies.

Threat hunting should include new and real time strategies that address emerging threats in the present; Retroactive hunts, which delve into historical data for hidden threats; Artifact-based searches, which examine digital traces left by attackers; and performing Hunts of Hunts, which involves identification of the overarching strategies and tactics employed by adversaries based on chained detections, with a multi-directional approach for threat attribution.

By embracing these adaptable methods, organizations can strengthen their security postures and better protect against a diverse array of threats. Over this series of blogs we will introduce a modern approach and futuristic paradigm to threat hunting that allows us to stay ahead of the adversary and explore previous hunts analyzing the factors that made them successful. Key aspects of this vision include:

• Multi-directional Approach: Variety of techniques, data sources, and methodologies to comprehensively understand an organization’s security posture leveraging diverse telemetry, sweeps and scans, and LFO (Low Frequency of Occurrence) statistical analysis you can identify patterns in seemingly unrelated data.
• Chained Detections: Involves a sequence of automated tasks triggered by an initial detection to triage and enrich telemetry data progressively from disparate data sources. This approach is a proactive and sophisticated way to uncover and respond to complex threats and threat actors.
• AI and Machine Learning: Artificial Intelligence (AI) and Machine Learning (ML) methods and techniques are integrated into threat hunting processes. These technologies can analyze vast amounts of data, identify anomalies, and detect subtle patterns indicative of potential threats. Machine learning can identify potential threats in reams of seemingly innocuous data by autonomously formulating patterns that lead to malicious behavior, based on statistical event mapping.Generative AI threat hunting can also help security teams detect and respond to threats faster and more accurately.
• Threat Intelligence Integration: Threat hunting teams integrate internal and external intelligence feeds into their platforms. Threat intelligence platforms and Information Sharing and Analysis Centers (ISACs) facilitate the exchange of threat data and insights, enabling organizations to benefit from collective knowledge. This includes information on known threats, indicators of compromise (IoCs), and emerging attack tactics.
• Adaptive Continuous Hunting: The security posture is adaptive and responsive. Threat hunting is not a one-time event but an ongoing, adaptive process. Security controls, policies, and threat hunting strategies are continuously adjusted based on evolving threats and the organization’s risk profile.
• Incident Response Orchestration: Automated incident response orchestration and playbooks (such as those configurable in a SOAR or XDR platform) are used to streamline and accelerate response efforts. Security teams can respond to threats more effectively and consistently with predefined workflows.

A Modern Approach to Hunting

In this modern paradigm, the SOC’s role expands beyond reactive incident response to include proactive research, automated processes, and advanced technologies. There have been many attempts to tackle this problem, including Risk Based Alerting, clustering, baselining, allowlisting/denylisting, data normalization, tokenization, and additional data enrichment strategies, but there are more highly effective methods that we will continue to describe over the next few blog posts.

The goal is to create a resilient security posture capable of defending against a constantly evolving threat landscape with minimal impact on internal resources and security operations.

Akira Ransomware Campaign Highlights

Now we will show the results of a more extensive and modern hunt that yielded threat attribution and a higher level of fidelity and accuracy in identifying the risk and threat actors involved in an attack highlighting the Akira Ransomware Campaign. This was identified by our Vigilance DFIR team working closely with our WatchTower threat hunting team.

Akira ransomware operations were first observed in early 2023, with all the features and assets we expect from modern ransomware familles. This included a victim blog site, multi-platform payloads, and even a retro style branding. Once access is achieved, Akira focuses on stealing confidential documents, destroying backups, disabling security settings, and performing other nefarious activities leading to the extortion of the victim for a handsome ransom.

The following steps lay out the effectiveness of a multi-directional approach that is adaptive and leverages different sources of data intelligence to paint a full picture of a threat actor.

1. During an Akira incident we identified the group was downloading RustDesk, a remote access and remote control software available for different platforms. Notably, Akira had previously been associated with AnyDesk for persistence and C2 tasks, not the RustDesk RMM tool. It then proceeds to create services, disable the firewall, and allow remote connections from Akira operators.
   

2. Internal recon leveraged Advanced IP Scanner and NETSCAN.EXE for mapping the network along with winscp for data exfiltration. They proceeded to access and manipulate SQL databases for the purpose of mapping users, data, and environment.
   

3. The threat actor even went so far as to disable LSA (Local Security Authority) settings which help defend Windows users against credential theft by preventing untrusted code from being injected into the LSASS.exe process and disabling protections built into Windows.
   

4. While cross-referencing Akira victim blog data with Shodan data it looked like CISCO VPN gateways that belonged to targeted victim organizations were also listed. This suggests that Akira ransomware operators may be exploiting a vulnerability in Cisco VPN software to gain initial access. There is also evidence that stolen credentials acquired via IABs (Initial Access Brokers).
   

5. Detecting and blocking this ransomware at the endpoint is the last line of defense. Once a detection is made, that should then turn into actionable intelligence that leads to other investigative directions that help us anticipate attackers’ next steps.

In this case, new tactics and techniques were identified and attributed to a threat actor based on adaptive, continuous threat hunting and external threat analysis. Researching, analyzing, understanding, and hunting for this attack chain enabled our hunters to proactively hunt for similar activity and block it before it became a true threat. Subsequent hunts in other organizations allowed us to detect early and prevent many breaches.

Conclusion

The importance of creating business value through threat hunting in today’s complex and rapidly evolving cybersecurity landscape cannot be overstated. With the proliferation of AI, Cloud, SaaS, IoT, containers, growing market share of macOS, and omnipresent mobile devices, along with the challenges posed by regulated markets and remote work environments, organizations are facing a detection world that has become incredibly intricate. In response to these complexities, it makes strategic sense for many organizations to outsource advanced threat hunting and analysis to specialized security vendors to augment their own capabilities.

The reasons for this shift towards outsourcing this function to expert threat hunters as opposed to having a dedicated threat hunting team are compelling. Detection engineering has matured, and organizations are recognizing that a ‘build’ mentality often leads to playing catch-up with emerging threats. By ‘buying’ the expertise of a security vendor, organizations can leverage the vendor’s multidisciplinary team, which is exposed to new threats and tactics on a daily basis, often well ahead of in-house security teams. This proactive approach reduces the organization’s exposure to risks and accelerates threat response capabilities.

Additionally, the total cost of ownership is significantly lower with a managed service compared to maintaining a salaried internal team with limited expertise. Reliable threat hunting partners provide access to a larger pool of specialized skills as well as access to large data sets of rich telemetry across disparate endpoints and malware tactics. Internal staff can be augmented to enhance the organization’s security posture without the overhead of hiring and training more personnel. The risk of not conducting threat hunting is clear, and even with security tools that offer tremendous quantities of telemetry, it’s essential to have experts process this data to maximize its benefits, predicting the attack instead of just preventing it.

Learn More About WatchTower

For enterprises looking for a threat hunting partner to help them implement a robust methodology to stand up to emergent threats, SentinelOne’s WatchTower provides threat hunting experts equipped with the latest threat intelligence and  AI/machine learning algorithms.

Today, customers can use WatchTower to achieve real-time and retroactive detections of anomalous activity across their enterprise to proactively address evolving threats and strengthen their security posture. Learn more about what WatchTower can do for your enterprise here.

Special thanks to the entire WatchTower, Vigilance, and DFIR teams for contributions in findings, analysis, and content.

Last week saw Apple update XProtect to version 2173 with new rules for Atomic Stealer and Adload. As we have noted previously, Apple’s defenses for the Mac have been evolving of late, with increased attention on remediation and some prototype behavioral rules that appear to still be in testing mode.

However, 2023 to date has seen new approaches to compromising Macs that continue to leave macOS users at risk if organizations are not taking additional measures to defend against them.

In this post, we look at some of the major macOS malware discovered recently and detail how threat actors are adapting and evolving to ensure successful compromise when targeting Apple’s desktop platform.

Persistence No Longer a Priority for Mac Infostealers

Perhaps one of the most significant changes we’ve seen in 2023 is the multitude of macOS malware families that eschew persistence. This is especially characteristic of infostealers, which aim to achieve all their objectives in one execution – stealing the user’s admin passwords, browsing data, session cookies and keychain, and then exfiltrating these off to a remote server.

With such a haul, the attackers have no need for persistence, as they now have access to any cloud or SaaS accounts that the user had stored credentials and cookies for on their local device.

~/Library/Cookies/*.binarycookies

Chrome:  ~/Library/Application Support/Google/Chrome/Default/Cookies
Firefox: ~/Library/Application Support/Firefox/Profiles/[Profile Name]/
Slack :  ~/Library/Application Support/Slack/Cookies (file) 
	 ~/Library/Application Support/Slack/storage/*
         ~/Library/Containers/com.tinyspeck.slackmacgap/Data/Library/Application Support/Slack/storage

Other recent malware families abjure traditional persistence mechanisms in favor of trojanizing software that they expect the user to run regularly, in effect making the user’s own behavior the means of persistence. A good example of this, as we’ll discuss further below, was the March 2023 compromise of 3CX.

With no need to schedule execution of the malware through system services, detection becomes problematic for certain kinds of security mechanisms, and Apple’s recent introduction of pushing user notifications to warn when background items are scheduled is rendered irrelevant.

Organizations Compromised Through Targeted Social Engineering

Threat actors have begun using more sophisticated social engineering techniques to compromise Mac users. Although much common malware is distributed through channels such as torrent sharing sites and third-party software download sites, threat actors looking to compromise businesses are developing highly targeted campaigns.

Earlier in 2023 we saw how RustBucket malware targeted organizations with specially crafted applications that victims were persuaded into executing as part of an elaborate social engineering scheme. Threat actors engaged victims with the promise of a business deal and shared ‘confidential’ PDF documents that could not be read by ordinary PDF viewer software.

To view the documents ‘securely’, victims were encouraged to download a ‘proprietary’ application named ‘Internal PDF Viewer’. Convinced that the software was required to maintain the secrecy of the deal, users were persuaded to override Apple’s built-in security mechanisms. The malicious PDF viewer displayed the document the victim was expecting to see but in the background downloaded and executed malware from the attacker’s C2.

Less-sophisticated but still targeted malware has also been spotted this year aiming at small businesses and freelance contractors. The macOS MetaStealer campaign targeted victims with social engineering lures like “Advertising terms of reference” and “Brief_Presentation-Task_Overview”. These files were in fact disk images containing infostealer malware disguised as PDF documents.

As with RustBucket, the aim was to incentivize users to override Apple’s macOS security mechanisms, which unfortunately means little more than convincing them to right-click a file and choose ‘open’ rather than double-clicking it.

Increased Use of Public Offensive Security Tools

Controversy has long swirled around offensive security tools in the Windows world, particularly Cobalt Strike, which has been cracked and leaked so widely that it is now a mainstay of attackers of all stripes. The same trend is now starting to be seen in the macOS malware world, too.

Projects like Geacon wrap Cobalt Strike capabilities in Go-based payloads. These have been seen embedded in fake versions of enterprise level apps like SecureLink beaconing out to C2s in China and using job resumés as decoys.

Highly-regarded open source red teaming tool Mythic and its various payloads, particularly Poseidon, for example, have also been seen in recent macOS malware campaigns.

Poseidon and Mythic function as an implant and C2 administration suite much the same way as Cobalt Strike does. With built in obfuscation and encrypted communications, Poseidon provides attackers with a powerful toolkit.

Offensive security practitioners would argue that the open source nature of the tool makes it possible for security vendors to develop detections for the tool. This is indeed true, and most 3rd party security software should be able to detect Poseidon either statically or behaviorally. However,  Apple does not appear to have taken up that offer as yet; its malware blocking service XProtect does not contain a signature to detect Poseidon payloads.

For defenders, additional security is required. Because of the nature of such tools, it can be difficult to tell when these payloads are spotted in the wild whether they are simply leaked red-teaming tools or genuine malware campaigns, but in either case detection and protection is required.

Living Off the Orchard | Built-in Tools Used for Malicious Acts

LOLBins or ‘Living-Off-the-Land’ techniques have a long history of use in malware and cyber attacks targeting other platforms. On macOS, there is an increasing recognition of such techniques, sometimes described as “living off the orchard”. Resources to help recognize these are becoming increasingly important.

In 2023, perhaps the most commonly used built-in tools are the system_profiler tool for gathering data about the local installation, sw_vers to collect the OS system version and build, and curl both for downloading and exfiltrating data. SentinelLabs has previously documented 20 of the most common macOS LOLBins.

One of the most common malware families seen throughout 2023 and over the last two years or so, Adload uses a combination of LOLBins like chmod, xattr, and ioreg to complete its tasks.

Such tools present difficulties for defenders as it makes malicious behavior more difficult to separate from legitimate behavior, precisely the reason why attackers favor using them to achieve their objectives where possible. Of course, context here is everything. Visibility into execution chains and process trees can help threat hunters understand whether such tools are being abused, while advanced EDR tools can automate detection of malicious processes that include use of LOLBins.

Abusing Open Source Software for Initial Compromise

In July 2023, malware dubbed JokerSpy was reported by several vendors though attribution remains uncertain. JokerSpy contained several components, including two python backdoors, red-teaming tool SwiftBelt and a Swift-based Mach-O that attempts to masquerade as Apple’s own XProtect malware checking service.

Analysis of these components suggests that some attacks began the infection through a trojanized QR code generator, QRLog. The malware is hidden inside a genuine QR code generator written in Java via a malicious file, QRCodeWriter.java, inserted into the legitimate project. This file first determined the host OS, then downloaded an appropriate payload that opened a reverse shell allowing the attacker access to the victim’s device.

Although it is unclear how the threat actors delivered the trojanized software to targets, JokerSpy was found in several enterprise intrusions, including a large cryptocurrency exchange.

Ensuring that Open Source software is scrutinized against a known bill of materials and that any known vulnerabilities are patched is now part of CISA’s recommendations for all federal agencies, and private organizations are following suit. OSS presents a huge attack surface on all platforms, including macOS, and threat actors will continue to find ways to abuse it to compromise valuable targets.

Protecting Payloads with Multi-Stage, Modular Malware

One of this year’s most complex supply chain attacks, the Smooth Operator campaign, which compromised downstream businesses via maliciously tampering with 3CX’s call routing software client, 3CXDesktopApp, still remains something of a mystery.

In March 2023, various initial and intermediate stages of the malware were discovered for the macOS side of the infection chain. The attackers were careful to drop multiple stages that gathered information about the victim’s environment, but the final stage – we might suspect a backdoor or reverse shell – has yet to come to light.

The known stages of the malware were built for stealth. They relied on users launching the trojanized application for persistence, only collected limited data about the host’s 3CX account, and then self-deleted after sending this information to the attacker. The known payloads do not contain any backdoor capabilities and only collect data that would not seem obviously anomalous for the 3CX application.

Clearly, the attackers went to great lengths to ensure that the resources they put into the final stage malware would not be easily burned. For defenders, this is worrying because one reason for such caution would be protecting a high-value zero-day from being exposed.

In a similar vein, the JumpCloud intrusion in July 2023 also used multiple stages for stealth and to protect late stage payloads. Researchers have attributed both campaigns to DPRK-linked threat actors with a focus on supply chain attacks that will haul in sensitive enterprise information to be used in further, more targeted intrusions. At the same time, it is believed the actors behind these campaigns are developing and sharing a variety of toolsets and that further macOS malware campaigns are inevitable.

SentinelOne Customers Protected

SentinelOne customers are protected from the malware discussed in this article. In addition, the Singularity platform provides unparalleled visibility and threat hunting capabilities to enable security teams to fully investigate and remediate threats on macOS devices.

Conclusion

While Apple continues to work on improving its own attempts to detect malware targeting the macOS platform, updates to XProtect’s YARA rules still lag significantly behind detections provided by third party solutions. For example, the Atomic Stealer rules added this week to XProtect v2173 relate to malware that have been detected in the wild by vendors for several months.

Therefore, it is highly recommended that enterprises supplement the protections offered by Apple with a security solution that uses multiple detection engines to stop both commodity malware and advanced threats.

If you would like to learn more about how SentinelOne can help protect your Mac fleet, contact us for more information or request a free demo.

In September 2023, automation and manufacturing company Johnson Controls was targeted in a ransomware attack where threat actors used Dark Angels ransomware to lock the company’s VMWare ESXi servers. SentinelOne has analyzed the binary related to this attack and found that it has considerable overlap with RagnarLocker’s ESXi version.

In this post, we present technical details of the Dark Angels ransomware, offer a comparative analysis of Dark Angels and RagnarLocker samples, and provide recommendations for security teams safeguarding ESXi servers.

Overview

RagnarLocker is a ransomware group that was active throughout 2020 to 2022, drawing attention from the United States Federal Bureau of Investigation (FBI) for targeting entities in the critical manufacturing sector.

Dark Angels is a relative newcomer first reported in 2022 for its Windows version, which was very closely linked to the leaked Babuk Windows source code. Interestingly, our analysis finds the ESXi version of Dark Angels shares no significant overlap with the leaked Babuk ESXi locker source code, which many Linux ransomware families are based on or adapted from.

Technical Details

Dark Angels (06187023d399f3f57ca16a3a8fb9bb1bdb721603) is a 64-bit Executable & Linkable Format (ELF) binary designed for Intel-based Linux systems. On execution, the program logs the encryption progress to the hardcoded log file name, wrkman.log, which is saved to the directory that the Dark Angels binary is run from.

The program requires the operator to specify a root directory for file encryption to start, which will then process any subdirectories. Dark Angels takes optional arguments, which are documented internally as dl:m:s:v.

The -m argument lets the operator specify how many encryption threads to run concurrently, which can be 10, 20, 25, 33, or 50. The -v argument enables verbose logging mode to the command line. The -l argument lets the actor specify a log file name for the progress log.

During analysis, we observed that Dark Angels wrote a ransom note for each file encrypted; normally, ransomware writes one ransom note per directory where files are processed for encryption. The ransom note naming convention is .crypted.README_TO_RESTORE.

Dark Angels uses AES with a 256-bit key to encrypt files. The encryption routine can override a locked file by obtaining the PID of the locking process, then running the kill -9 command against that PID to terminate the process. This code will only execute if the PID value is greater than 10, which prevents the binary from attempting to kill files locked by crucial, kernel-interfacing processes.

Dark Angels vs. RagnarLocker

We identified considerable similarities between the Linux version of Dark Angels and a RagnarLocker binary circa 2021, 5411d7905bef69cb16d44f52fc46aa32fd922c80. From the file metadata perspective, both binaries are roughly 150 KB in size and designed for Intel x86-64 architectures. They also share the same compiler string compilation artifact: GCC: (GNU) 4.8.5 20150623 (Red Hat 4.8.5-44).

Dark Angels and RagnarLocker use the same encryption mechanism (AES-256) and the same file extension, .crypted. This is notable because the Windows version of RagnarLocker uses a bespoke file extension, RGNR_. The Dark Angels Windows version uses the .crypt extension.

Both ransomware families share the same file path exclusion list, which ensures critical system files are not encrypted. Dark Angels’ extension exclusion list also includes the ransom note name, .README_TO_RESTORE, which is not present in RagnarLocker.

RagnarLocker also writes the same log file, wrkman.log. The RagnarLocker binary only takes the threading argument with the same -m flag, as outlined in its usage message.

Usage:%s [-m (10-20-25-33-50) ] Start Path

Other optional arguments seen in Dark Angels are not present in RagnarLocker.

The overlap between the two families is further solidified with analysis of a sample of Dark Angels ransomware observed in September 2022. Sample 7c2e9232127385989ba4d7847de2968595024e83 is highly similar to the 2023 Dark Angels sample 06187023d399f3f57ca16a3a8fb9bb1bdb721603 described above.

At the surface level, we see the same wrkman.log file being used and the same -m parameter supported, but that is the only argument available, other than supplying a starting path.

The .crypted extension is also used along with the previously observed README_TO_RESTORE filename.

However, the 2022 sample directs victims to a different .ONION address, qspjx67hi3heumrubqotn26cwimb6vjegiwgvrnpa6zefae2nqs6xqad[.]onion.

When this payload was first reported that address was inactive and remains so at the time of writing. In contrast, the 2023 variant directs victims to lyoevnzm3ewiq6jeyyuob2wfou7gh47yotuucsrwlf6ju3xrw43wacad[.]onion for live-chat/support and uses p66slxmtum2ox4jpayco6ai3qfehd5urgrs4oximjzklxcol264driqd[.]onion as the victim leak site. p66slxmtum2ox4jpayco6ai3qfehd5urgrs4oximjzklxcol264driqd is the historic Dark Angels Team-hosted “Dunghill Leak” site.

Also of note, the 2023 variant changed the hosting method for proof-packs (proof or evidence of leakage), using the victim(s) password-protected ufile[.]io links.

The 2022 variation uses simple, unsecured image links to image sharing service ibb[.]co.

Recommendations

Endpoints running the SentinelOne agent are protected against the Dark Angels and RagnarLocker Linux variants. Organizations can prepare for attacks from groups like Dark Angels by implementing a robust vulnerability & patch management program, as previous reports indicate the group leverages vulnerabilities to achieve initial access before pivoting deeper into the environment.

Given the lack of security software on ESXi hypervisors, consider enhanced network monitoring for unusual access to these systems, including internal system traffic. When possible, focus on large or abnormal data transfers off of the ESXi server as well as other file storage services within the network.

Conclusion

ESXi lockers continue to prove successful for the ransomware groups who use them, yet the overall pool of unique Linux ransomware families remains narrow. We assess with high confidence that these two samples are related and that the Linux version of Dark Angels is a very lightly modified, more recent version of the analyzed RagnarLocker binary.

There is a potential caveat to attributing Dark Angels as the next iteration of RagnarLocker when vendors miscategorize information or fail to thoroughly explain connections made through their analysis. For example, the RagnarLocker binary was classified as RagnarLocker by Fortinet, but listed as a Vice Society file by another vendor, Quorum Cyber.

Based on the volume of VirusTotal community comments for the RagnarLocker binary, our assessment aligns with contributions from earlier researchers.

Indicators of Compromise

It’s not everyday that an idea emerges from academia with the potential to disrupt existing approaches and technologies. That’s why S Ventures is excited about our recent investment in TileDB, a universal data platform that unifies all types of data (and associated code) along with the complex infrastructure surrounding that data into a single solution. TileDB adapts its internal structure to optimize advanced applications across virtually any data schema.

When most people think of a database, they picture a set of data organized in columns and rows that create a logical relationship, like an Excel spreadsheet that lists sales by product. The data is typically stored as text or numerical data types and users would access and filter the data with a structured query language (or SQL). With the proliferation of the internet, social media, IoT devices, and other digital platforms, the amount of unstructured data being generated is enormous. It’s estimated that unstructured data accounts for more than 80% of the data generated globally.

Unstructured data comes in many formats – from text and images to videos and sensor data. This diversity makes it challenging to process and analyze using traditional database systems. Add in the complexity of new data formats, specialized point tools for visualization, machine learning, and DevOps in a fragmented cloud-native environment (where compute and storage are separated) and it’s no wonder every enterprise has a data problem – rigid access, limited mobility, and lack of holistic governance – and spend inordinate amounts of money and effort building large data engineering teams.

The team at TileDB has an audacious vision to reclaim simplicity and performance in the face of modern challenges, starting with the most challenging use cases in geospatial, life science, and machine learning with some of the world’s most complex enterprises.

TileDB accomplishes this with a powerful, universal data structure, called the multi-dimensional array. Arrays can shape-shift to efficiently store and process any kind of data, from tables, to images, genomics, weather, graphs, key-values, point clouds, flat files and more. TileDB allows users to build, maintain and run any sophisticated ETL process, pipeline, workload or query algorithm, inside its serverless distributed computing environment. Keeping data, code and compute in a single place eliminates silos, reduces total cost of ownership and increases productivity and collaboration across teams and individuals.

Please join us in congratulating TileDB on their Series B and learn more about what they are building at tiledb.com.