DarkSide Affiliate Hacks Surveillance System Provider and Infects Windows App

Cybersecurity experts from Mandiant report that a hacker group previously associated with the DarkSide ransomware gang has breached the website of an unnamed surveillance system provider and infected its official Windows application with malware.

The attack began on May 18 and continued until early June, when Mandiant specialists discovered the malicious software and notified the affected company. The malware was hidden inside a custom version of the Dahua SmartPSS application for Windows, which the unnamed surveillance system provider distributed to its clients for configuration and management purposes.

According to reports, the trojanized version of the application infected victims’ machines with the SMOKEDHAM backdoor.

Attack Details

Although the DarkSide ransomware group announced it was shutting down last month following the high-profile attack on Colonial Pipeline, Mandiant researchers have linked the surveillance system provider breach to one of DarkSide’s three main affiliate groups, tracked by the company as UNC2465.

Analysts say that these DarkSide “affiliate groups,” known by the codenames UNC2628, UNC2659, and UNC2465, have carried out attacks on corporate networks and then deployed ransomware rented from the DarkSide authors. Once victims paid the ransom, the affiliates received 85% of the payment and moved on to new targets.

The connection to UNC2465 in this latest incident was established thanks to the use of SMOKEDHAM, which until now had only been seen in UNC2465 campaigns. While this particular attack did not result in the deployment of DarkSide or any other ransomware on the victim’s network, researchers warn that the attackers may attempt further actions soon.