On 14 May 2021, Analyst1 security researchers released a detailed report on the DarkSide cybercriminal gang, which is believed to be responsible for ransomware attacks targeting the Colonial Pipeline. Part of the report was several indicators of compromise (IoCs), specifically 41 malware hashes, two domains, and three IP addresses.

Using these as our starting point, we sought to uncover more artifacts that could be related to the cyber attack. The next section shows our findings.

Hash Connections

Subjecting the hashes to VirusTotal searches provided a list of three additional malicious domains, two malicious subdomains, and seven malicious IP addresses, which include:

• catsdegree[.]com
• rumahsia[.]com
• temisleyes[.]com
• isrg[.]trustid[.]ocsp[.]identrust.com
• r3[.]o[.]lencr[.]org
• 185[.]105[.]109[.]19
• 198[.]54[.]117[.]200
• 198[.]54[.]117[.]198
• 198[.]54[.]117[.]199
• 110[.]110[.]110[.]1
• 198[.]54[.]117[.]197
• 72[.]21[.]81[.]240

Domain Connections

Querying the additional domains above on a DNS lookup tool gave us an additional six IP addresses, namely:

• 72[.]52[.]178[.]23
• 99[.]83[.]154[.]118
• 23[.]38[.]189[.]235
• 23[.]38[.]189[.]144
• 23[.]63[.]111[.]217
• 23[.]63[.]111[.]227

While none of these are currently tagged “malicious” on VirusTotal, the systems that they identify may be worth monitoring as the IP addresses resolve to the additional malicious domains we identified. Blocking their access to networks may also be advisable.

IP Address Connections

We also discovered from running reverse IP/DNS searches on the seven additional malicious IP addresses that one address (185[.]105[.]109[.]19) is connected to at least 300 other domains. While this is indicative of a shared infrastructure, that may also be worth monitoring.

In fact, many of these domains featured seemingly random alphanumeric combinations that may be indicative of illegitimacy or that they don’t belong to a valid company. The connected domains 000cryptscchb4nlamabenioc[.]xyz and 0011ucdt6e[.]com are tagged “suspicious” on VirusTotal, and there could be more. The related domain 002helium[.]asia, meanwhile, is dubbed “malicious” by both VirusTotal and Threat Intelligence Platform (TIP). There could be others as well.

Note the accompanying screenshot of the site hosted on 002helium[.]asia. It is the same one hosted on catsdegree[.]com as shown in more detail in the following section.

Status of the Dangerous Web Properties

To determine if the malicious web pages remain active, we ran the additional domains identified through screenshot lookups and found that one (i.e., catsdegree[.]com) currently points to what looks to be a Microsoft News site look-alike. Note the banner that says the domain may be for sale. Given catsdegree[.]com’s content, it could very well be an effective bait to lure users into downloading a ransomware variant. Any of the links on the page could point to a malware host.

Rumahsia[.]com, meanwhile, was found to have an extensive WHOIS history with first records dating back to 2013. More recently, it was found to have passed the reactivation period and is now available again for registration at major registrars (at least at the time of this writing).

Finally, r3[.]o[.]lencr[.]org shows a blank page. A screenshot of lencr[.]org, however, shows an active website pertaining to non-profit certificate authority Let’s Encrypt:

Deeper dives into ongoing campaigns using a combination of open-source and commercial tools are advisable for companies that want to ultimately improve their cybersecurity posture. Our brief analysis and enrichment of known DarkSide IoCs identified by Analyst1, for instance, allowed us to uncover more connected domains, subdomains, and IP addresses that may warrant closer observation.

Interested in taking deeper dives into similar threats? Maybe we can collaborate or provide you with tools that can further your research. Contact us for more information.