Pierluigi Paganini June 17, 2021

UNC2465 cybercrime group that is affiliated with the Darkside ransomware gang has infected with malware the website of a CCTV camera vendor.

An affiliate of the Darkside ransomware gang, tracked as UNC2465, has conducted a supply chain attack against a CCTV vendor, Mandiant researchers discovered. UNC2465 is considered one of the main affiliated of the DARKSIDE group, along with other affiliates gangs tracked by FireEye/Mandiant as UNC2628 and UNC2659.

The crooks compromised the website of the vendor and implanted malicious code in a Windows application, a custom version of the Dahua SmartPSS Windows app, that the company provides to its customers to control their security feeds.

“The intrusion that is detailed in this post began on May 18, 2021, which occurred days after the publicly reported shutdown of the overall DARKSIDE program (Mandiant Advantage background). While no ransomware was observed here, Mandiant believes that affiliate groups that have conducted DARKSIDE intrusions may use multiple ransomware affiliate programs and can switch between them at will.” reads the analysis published by Mandiant.

“Sometime in May 2021 or earlier, UNC2465 likely Trojanized two software install packages on a CCTV security camera provider website.”

The website was first breached on May 18 and hackers remained within the organizations until early June when Mandiant researchers spotted the supply chain attack.

The tainted app was used by attackers to deliver a version of the .NET SMOKEDHAM backdoor, which supports keylogging, taking screenshots, and executing arbitrary commands on the infected systems.

“Mandiant Consulting observed the Trojanized installer downloaded on a Windows workstation after the user visited a legitimate site that the victim organization had used before.” continues the analysis. “Mandiant confirmed the user intended to download, install, and use the SmartPSS software. Figure 2 shows an image of the download page used for SmartPSS software.”

The SMOKEDHAM backdoor was associated by FireEye to the activity of the UNC2465 group that dates back to at least April 2019 and is considered a DARKSIDE RaaS affiliate.

In the documented attack, once the backdoor is deployed, UNC2465 interactively established an NGROK tunnel and performed lateral movements in less than 24 hours. After five days, the UNC2465 hackers returned and deployed additional tools such as a keylogger, Cobalt Strike BEACON, and gathered credentials via dumping LSASS memory.

Experts noticed that in this supply chain attack, UNC2465 did not deliver the Darkside ransomware as the final payload, but they not exclude that the cybercrime group could move to a new RaaS operation.

Experts recommend scanning internal networks for the SmartPSS app and search for Indicators of Compromise associated with the SMOKEDHAM backdoor.

“UNC2465’s move from drive-by attacks on website visitors or phishing emails to this software supply chain attack shows a concerning shift that presents new challenges for detection. While many organizations are now focusing more on perimeter defenses and two-factor authentication after recent public examples of password reuse or VPN appliance exploitation, monitoring on endpoints is often overlooked or left to traditional antivirus.” concludes the report. “A well-rounded security program is essential to mitigate risk from sophisticated groups such as UNC2465 as they continue to adapt to a changing security landscape.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, UNC2465)

[adrotate banner=”5″]

[adrotate banner=”13″]