Trend Micro -
To date, we have found fifteen onion addresses used by at least four different servers, and three others still unknown.
Onion Address Server w6ilafwwrgtrmilorzqex6pgpvfsa667fydca2wpoluj6sajka225byd[.]onion A accdknc4nmu4t5hclb6q6kjm2u7u5xdzjnewut2up2rlcfqe5lootlqd[.]onion A c6zkofycoumltpmm6zpyfadkuddpmlqk6vyd3orrfjgtq3vrgyifl6yd[.]onion A 3klsbd4dwj3yqgo4xpogfgwqkljbnbdxjryeqks2cjion5jj33wvkqyd.onion B yk7erwdvj4vxcgiq3gmcufkben4bk4ixddl5j2xvu7gurtdq754jmiad.onion B z4cn6lpet4y4r6mdlbpklpcrjdruwb6kiuvxn6gsiuoub23z6prlx6ad.onion B ibih5znjxf2cqgo737xmooyvmxhac45wd4rivh6n5hd7fysn42g3fayd.onion B ikrah6fb4e6r2raxkyvyoxp22jam5z6ak5ajfnzxutmassoagvr2bhad.onion B hceesrsg6f5p4gcph4j6jv6vl4mkmaik735oz4r45lgjfyedsxfoprad.onion B qfgh2lpslhjb33z3wsenmqrxcdragelinvcpowlgkbjca6yig5zloeyd.onion B x4mjvffmytkw3hyu.onion C tpze4yo74m6qflef.onion D evl425tkt4hkwryyplvqu6bn6slfow3fa4xwgvwe5t4zf6gizs3ewuyd.onion Unknown 1 xingnewj6m4qytljhfwemngm7r7rogrindbq7wrfeepejgxc3bwci7qd.onion Unknown 2 zckdr5wmbzxphoem77diqb2ome2a54o23jl2msz3kmotjlpdnjhmn6yd.onion Unknown 3
Table 1. The onion addresses used by the different servers
And here is how they relate to the group:
Server XingLocker AstroLocker Team A x B x x C x x D x Unknown 1 x Unknown 2 x Unknown 3 x
Table 2. The different servers in relation to XingLocker and AstroLocker Team
While this is not a sophisticated innovation, it is important to highlight that ransomware groups are looking for new ways to run their affiliate programs and RaaS businesses. This form of shared infrastructure and code can make things harder from an investigative point of view. It is not uncommon to find XingLocker samples detected as Mount Locker, or identify two different onion addresses pointing to the same onion service but used by different groups. Investigators should be aware of