Similarities have been unearthed amongst the Dridex common-reason malware and a little-regarded ransomware pressure termed Entropy, suggesting that the operators are continuing to rebrand their extortion operations under a distinctive identify.
“The similarities are in the program packer used to conceal the ransomware code, in the malware subroutines developed to uncover and obfuscate commands (API calls), and in the subroutines used to decrypt encrypted text,” cybersecurity organization Sophos said in a report shared with The Hacker Information.
The commonalities ended up uncovered pursuing two unrelated incidents targeting an unnamed media enterprise and a regional government company. In both equally situations, the deployment of Entropy was preceded by infecting the goal networks with Cobalt Strike Beacons and Dridex, granting the attackers remote entry.
Regardless of consistency in some facets of the twin attacks, they also diversified drastically with regards to the initial access vector made use of to worm their way inside the networks, the length of time invested in just about every of the environments, and the malware employed to launch the last phase of the invasion.
The attack on the media organization made use of the ProxyShell exploit to strike a vulnerable Exchange Server with the aim of putting in a web shell that, in transform, was utilized to distribute Cobalt Strike Beacons on the network. The adversary is reported to have used four months carrying out reconnaissance and facts theft, ultimately paving the way for the ransomware attack in early December 2021.
The second attack on the regional govt business, on the other hand, was facilitated via a destructive email attachment containing the Dridex malware, employing it to deploy supplemental payloads for lateral motion.
Notably, redundant exfiltration of delicate knowledge to much more than one cloud storage provider – in the sort of compressed RAR archives – transpired in just 75 hrs right after the preliminary detection of a suspicious login attempt on a solitary device, prior to encrypting the information on the compromised computer systems.
Moreover applying reputable equipment such as AdFind, PsExec, and PsKill to carry out the attacks, the correlation between Dridex and Entropy samples with that of earlier DoppelPaymer ransomware infections has lifted the chance of a “common origin.”
Entropy Ransomware Note
It really is truly worth pointing out the web of connections involving the different parts of malware. The Dridex trojan, an facts-thieving botnet, is acknowledged to be the handiwork of a prolific Russia-centered cybercrime team known as Indrik Spider (aka Evil Corp).
DoppelPaymer is attributed to a splinter group tracked less than the moniker Doppel Spider, which leverages forked malware code designed by Indrik Spider, which includes the BitPaymer ransomware, as the foundation for its huge recreation searching functions.
In December 2019, the U.S. Treasury Department sanctioned Evil Corp and filed prison prices in opposition to two crucial customers Maksim Yakubets and Igor Turashev, in addition to saying a $5 million reward for any details leading to their arrests. A subsequent investigation by BBC in November 2021 tracked down the “alleged hackers living millionaire existence, with minimal chance of ever staying arrested.”
The e-criminal offense gang has considering the fact that cycled by way of various branding modifications to their ransomware infrastructure in the intervening yrs to get all over the sanctions, main among them getting WastedLocker, Hades, Phoenix, PayloadBIN, Grief, and Macaw. Entropy is probably the most up-to-date addition to this checklist.
That reported, it’s also attainable that the malware operators have borrowed the code, possibly to save improvement efforts or intentionally mislead attribution in what’s a phony flag procedure.
“In both of those conditions, the attackers relied upon a lack of diligence – both targets experienced vulnerable Windows techniques that lacked present-day patches and updates,” mentioned Andrew Brandt, principal researcher at Sophos. “Appropriately patched devices, like the Trade Server, would have pressured the attackers to work tougher to make their initial obtain into the organizations they penetrated.”
“A necessity to use multi-factor authentication, had it been in area, would have created further worries for unauthorized buyers to log in to all those or other machines,” Brandt added.
Discovered this report exciting? Observe THN on Fb, Twitter and LinkedIn to go through a lot more special information we post.
Some sections of this posting are sourced from: