UNC2465, DARKSIDE Affiliate’s, Supply Chain Software Compromise

Security Alert
Published June 17, 2021

Mandiant observed DARKSIDE affiliate UNC2465 accessing at least one victim through a Trojanized software installer downloaded from a legitimate website. While this victim organization detected the intrusion, engaged Mandiant for incident response, and avoided ransomware, others may be at risk.

SMOKEDHAMCobalt StrikeNgrok – S0508
T1003 – OS Credential DumpingT1012 – Query RegistryT1027 – Obfuscated Files or InformationT1033 – System Owner/User DiscoveryT1078 – Valid AccountsT1082 – System Information DiscoveryT1098 – Account ManipulationT1102 – Web ServiceT1105 – Ingress Tool TransferT1112 – Modify RegistryT1113 – Screen CaptureT1136 – Create AccountT1140 – Deobfuscate/Decode Files or InformationT1189 – Drive-by CompromiseT1195 – Supply Chain CompromiseT1204 – User ExecutionT1219 – Remote Access SoftwareT1486 – Data Encrypted for ImpactT1531 – Account Access RemovalT1560 – Archive Collected DataT1566 – PhishingT1572 – Protocol TunnelingT1021.004 – SSHT1021.005 – VNCT1053.005 – Scheduled TaskT1553.002 – Code SigningT1056.001 – KeyloggingT1059.001 – PowerShellT1059.005 – Visual BasicT1070.006 – TimestompT1071.001 – Web ProtocolsT1090.004 – Domain FrontingT1218.005 – MshtaT1547.001 – Registry Run Keys / Startup FolderT1562.004 – Disable or Modify System FirewallT1573.002 – Asymmetric CryptographyT1588.003 – Code Signing CertificatesT1588.004 – Digital CertificatesT1608.003 – Install Digital CertificateT1195.002 – Compromise Software Supply ChainT1003.001 – LSASS MemoryT1547.004 – Winlogon Helper DLLT1547.009 – Shortcut Modification

Related Content

Ready to Simplify IT Management?

We will work with you to create a plan that meets your business needs, while helping you get more from your technology, with less work, and less worry about making it all run right.