The threat actor uses the same Secure Shell (SSH) fingerprint on many servers. The SSH fingerprint 1ca4cbac895fc3bd12417b77fc6ed31d, which is connected to various potentially malicious servers, was detected by multiple researchers. It was deployed on 85 IP servers and most of them (at least 52) were tagged as Cobalt Strike C2, from July 2022 to September 2023.
Researchers have noted that ShadowSyndicate’s servers are not all owned by the same entity. This information eliminates the possibility that ShadowSyndicate is a hoster who set up the SSH fingerprint on their server, as previously hypothesized. Upon further investigation, it was discovered that there are 18 distinct server owners involved.
A majority of the servers (23) are located in Panama, followed by Cyprus (11), Russia (9), Seychelles (8), Costa Rica (7), Czechia (7), Belize (6), Bulgaria (3), Honduras (3), and the Netherlands (3).
“Out of the 149 IP addresses that we linked to Cl0p ransomware affiliates, we have seen, since August 2022, 12 IP addresses from 4 different clusters changed ownership to ShadowSyndicate, which suggests that there is some potential sharing of infrastructure between these groups,” the researchers said.
In its attacks, ShadowSyndicate used an “off-the-shelf” toolkit, including Cobalt Strike, IcedID, and Sliver malware.
In the ransomware ecosystem, affiliates are the hackers that break into organizations and deploy a ransomware program in exchange for a large part of the ransom that victims pay. The ransomware developers usually provide the malware builder and infrastructure such as the data leak site and the ransom negotiation site. They also handle the negotiation with victims and take care of the payment infrastructure. However, they don’t do the hacking and malware deployment themselves.
“Although we have not reached a final verdict, all the facts obtained during this joint research project suggest that the most plausible assumption is that ShadowSyndicate is an affiliate working with various RaaS,” the researchers said.
