A previously undocumented cybercrime group has built a collection of over 80 command-and-control (C2) servers for malware implants over the past two years. The gang, which researchers have now dubbed ShadowSyndicate, is believed to be either an initial access broker or an affiliate working with multiple ransomware-as-a-service (RaaS) operations.

“It’s incredibly rare for one Secure Shell (SSH) fingerprint to have such a complex web of connections with a large number of malicious servers,” researchers from cybercrime investigations firm Group-IB said in a report.

“In total, we found ShadowSyndicate’s SSH fingerprint on 85 servers since July 2022. Additionally, we can say with various degrees of confidence that the group has used seven different ransomware families over the course of the past year, making ShadowSyndicate notable for their versatility.”

Group-IB analysts partnered with researcher Joshua Penny from European MSSP Bridewell and independent malware researcher Michael Koczwara to investigate all the connections they found and try to determine what ShadowSyndicate is: a server host that deploys servers with the same SSH fingerprint, a DevOps engineer for threat actors, a bulletproof hosting service for cybercriminals, an initial access broker, or a RaaS affiliate.

Connections to various remote access implants

More than 50 servers of those found to have ShadowSyndicate’s SSH fingerprint were used as C2 servers for Cobalt Strike implants. Cobalt Strike is a commercial penetration testing tool that is normally sold under license, but it has become a favorite with many groups of attackers who use cracked versions.

Every Cobalt Strike implant normally has a watermark that is normally associated with a unique license key, but the cracked versions used by attackers have custom watermarks such as 12345. Among the ShadowSyndicate-operated servers, the researchers found Cobalt Strike watermarks that were previously associated with attacks that resulted in the deployment of Royal, Cactus, Quantum, and Nokoyawa ransomware families.

Other servers with ShadowSyndicate’s SSH fingerprint were used as C2 servers for Sliver, an open-source penetration testing tool written in Go; for IcedID, a Trojan that has been used as malware dropped by multiple ransomware gangs in recent years; for Meterpreter, the implant from the Metasploit penetration testing framework; and for Matanbuchus, a Malware-as-a-Service (MaaS) loader that can also be used to deploy payloads.

In fact, there might even be a connection between some of these. For example, IcedID has been used to deploy Cobalt Strike implants before. It has also been used in connection with the Karakurt, RansomEXX, Black Basta, Nokoyawa, Quantum, REvil, Xingteam, and Conti ransomware families.

A successful ransomware affiliate

The researchers said they are fairly confident that ShadowSyndicate is not a hosting service because the servers were located in 13 different countries — with Panama being the favorite — and across different networks belonging to different organizations.

The researchers have found strong connections between ShadowSyndicate and attacks with Quantum (September 2022), Nokoyawa (October 2022, November 2022, and March 2023) and ALPHV (aka BlackCat) ransomware in February 2023. Weaker connections were found with Royal, Cl0p and Play ransomware.

“While checking List A servers using Group-IB data sources, we established that some servers were mapped as Ryuk, Conti, and Trickbot,” the researchers said. “However, these criminal groups no longer exist. Ryuk ceased to exist at the end of 2021, while Conti and Trickbot (which are connected) went dormant at the beginning of 2022. Researchers believe that former members of these groups could be continuing with their criminal activity using the same infrastructure, but they might now operate individually or in other criminal groups.”

There is a possibility that ShadowSyndicate is an initial access broker, a type of threat actor that compromises systems and sells the access gained to other cybercriminals, including ransomware gangs. However, the researchers believe it’s more likely that the group is actually an independent affiliate working for multiple RaaS operations.

In the ransomware ecosystem, affiliates are the hackers that break into organizations and deploy a ransomware program in exchange for a large part of the ransom that victims pay. The ransomware developers usually provide the malware builder and infrastructure such as the data leak site and the ransom negotiation site. They also handle the negotiation with victims and take care of the payment infrastructure. However, they don’t do the hacking and malware deployment themselves.

“Although we have not reached a final verdict, all the facts obtained during this joint research project suggest that the most plausible assumption is that ShadowSyndicate is an affiliate working with various RaaS,” the researchers said.