Other servers with ShadowSyndicate’s SSH fingerprint were used as C2 servers for Sliver, an open-source penetration testing tool written in Go; for IcedID, a Trojan that has been used as malware dropped by multiple ransomware gangs in recent years; for Meterpreter, the implant from the Metasploit penetration testing framework; and for Matanbuchus, a Malware-as-a-Service (MaaS) loader that can also be used to deploy payloads.
In fact, there might even be a connection between some of these. For example, IcedID has been used to deploy Cobalt Strike implants before. It has also been used in connection with the Karakurt, RansomEXX, Black Basta, Nokoyawa, Quantum, REvil, Xingteam, and Conti ransomware families.
A successful ransomware affiliate
The researchers said they are fairly confident that ShadowSyndicate is not a hosting service because the servers were located in 13 different countries — with Panama being the favorite — and across different networks belonging to different organizations.
The researchers have found strong connections between ShadowSyndicate and attacks with Quantum (September 2022), Nokoyawa (October 2022, November 2022, and March 2023) and ALPHV (aka BlackCat) ransomware in February 2023. Weaker connections were found with Royal, Cl0p and Play ransomware.
“While checking List A servers using Group-IB data sources, we established that some servers were mapped as Ryuk, Conti, and Trickbot,” the researchers said. “However, these criminal groups no longer exist. Ryuk ceased to exist at the end of 2021, while Conti and Trickbot (which are connected) went dormant at the beginning of 2022. Researchers believe that former members of these groups could be continuing with their criminal activity using the same infrastructure, but they might now operate individually or in other criminal groups.”
There is a possibility that ShadowSyndicate is an initial access broker, a type of threat actor that compromises systems and sells the access gained to other cybercriminals, including ransomware gangs. However, the researchers believe it’s more likely that the group is actually an independent affiliate working for multiple RaaS operations.