Full Report
A sprawling network of fake AI, VPN, and crypto software download sites is being used by the "Dark Partner" threat actors to conduct a crypto theft attacks worldwide. [...]
Analysis Summary
# Threat Actor: Dark Partners
## Attribution & Identity
The threat actor group is identified as **Dark Partners**. They are a cybercrime gang known for large-scale cryptocurrency heists. They are associated with the use of **PayDay Loader** and **Poseidon Stealer**.
## Activity Summary
Dark Partners is actively conducting large-scale cryptocurrency heists. The primary activity detailed involves the deployment of custom malware, specifically PayDay Loader (used for initial access/delivery) and Poseidon Stealer (used for exfiltrating cryptocurrency wallet data). The actor utilizes code signing certificates for their Windows malware builds, though the specific certificates analyzed were found to be invalid at the time of the analysis. The campaigns involve complex persistence mechanisms leveraging hidden virtual hard disks.
## Tactics, Techniques & Procedures
- **Delivery/Execution:** Utilizes an Electron-based application to deliver infostealers.
- **Defense Evasion:** Implements an anti-sandbox module that checks for common process names related to security analysis tools and terminates if detected.
- **Command and Control (C2):** Retrieves C2 server addresses from a Google Calendar link via an obfuscated function.
- **Persistence:** Establishes complex persistence by running a PowerShell script at every logon. This script mounts a Virtual Hard Disk (VHD) hidden inside an NTFS Alternate Data Stream (`setting.json:disk.vhd`), executes a file from the mounted volume, and then unmounts the VHD to remove traces.
- **Collection:** Poseidon Stealer module is capable of exfiltrating data from 76 cryptocurrency wallets and desktop applications.
- **Digital Signature Forgery:** Likely purchases and utilizes code signing certificates for Windows malware builds.
*(MITRE ATT&CK IDs were not explicitly provided in the text for these specific TTPs, only a general link reference to a Red Report.)*
## Targeting
- **Sectors:** Cryptocurrency finance/holders (inferred from the nature of crypto heists and wallet targeting).
- **Geography:** Not explicitly mentioned in the provided text.
- **Victims:** Entities or individuals holding cryptocurrency wallets targeted for data exfiltration. One related group, **Crazy Evil**, is mentioned separately as using social engineering for crypto wallet draining.
## Tools & Infrastructure
- **Malware Families Used:**
- **PayDay Loader:** Used for delivery and facilitating execution.
- **Poseidon Stealer:** A NodeJS-based module capable of stealing cryptocurrency wallet data.
- **Infrastructure:**
- **C2 Retrieval Method:** Google Calendar links (used to hide C2 addresses).
- **Landing Pages:** Nearly 250 domains were identified for landing pages.
- **Persistence Artifact:** A Virtual Hard Disk (`disk.vhd`) hidden within an NTFS Alternate Data Stream named `setting.json:disk.vhd`.
## Implications
Dark Partners represents a significant financially motivated threat actor capable of executing sophisticated, large-scale crypto heists. Their use of legitimate-looking artifacts such as code signing certificates and complex persistence mechanisms (hiding payloads in VHDs mounted via PowerShell scripts) makes detection challenging. The reliance on stolen wallet data suggests a deep focus on financial theft rather than general espionage or ransomware.
## Mitigations
- Implement enhanced monitoring for unusual PowerShell execution, especially scripts invoking VHD mounting/unmounting operations.
- Scrutinize processes for anomalies related to Electron-based applications delivering potentially malicious payloads.
- Employ robust application allow-listing to prevent the execution of unknown files from dynamic mounts.
- Enhance visibility into NTFS Alternate Data Streams, as they are used to hide persistence modules.
- Continuously monitor for indicators related to PayDay Loader and Poseidon Stealer, including C2 domains associated with calendar lookups.