Similarities have been unearthed among the Dridex typical-goal malware and a very little-acknowledged ransomware strain named Entropy, suggesting that the operators are continuing to rebrand their extortion functions less than a distinctive identify.
“The similarities are in the computer software packer employed to conceal the ransomware code, in the malware subroutines designed to locate and obfuscate commands (API calls), and in the subroutines made use of to decrypt encrypted textual content,” cybersecurity organization Sophos claimed in a report shared with The Hacker News.
The commonalities were being uncovered next two unrelated incidents concentrating on an unnamed media organization and a regional federal government company. In both equally cases, the deployment of Entropy was preceded by infecting the goal networks with Cobalt Strike Beacons and Dridex, granting the attackers distant accessibility.
Even with consistency in some areas of the twin attacks, they also different significantly with regards to the initial entry vector utilized to worm their way inside the networks, the size of time spent in each and every of the environments, and the malware used to start the remaining section of the invasion.
The attack on the media business utilised the ProxyShell exploit to strike a susceptible Exchange Server with the intention of putting in a web shell that, in flip, was used to distribute Cobalt Strike Beacons on the network. The adversary is mentioned to have used four months carrying out reconnaissance and details theft, ultimately paving the way for the ransomware attack in early December 2021.
The 2nd attack on the regional authorities corporation, on the other hand, was facilitated as a result of a destructive email attachment that contains the Dridex malware, utilizing it to deploy more payloads for lateral motion.
Notably, redundant exfiltration of sensitive facts to additional than just one cloud storage service provider – in the variety of compressed RAR archives – transpired inside of 75 several hours following the initial detection of a suspicious login endeavor on a one equipment, prior to encrypting the documents on the compromised personal computers.
Other than using legitimate tools this kind of as AdFind, PsExec, and PsKill to have out the attacks, the correlation amongst Dridex and Entropy samples with that of prior DoppelPaymer ransomware infections has elevated the risk of a “typical origin.”
Entropy Ransomware Be aware
It’s value pointing out the web of connections in between the different pieces of malware. The Dridex trojan, an data-stealing botnet, is identified to be the handiwork of a prolific Russia-based cybercrime group named Indrik Spider (aka Evil Corp).
DoppelPaymer is attributed to a splinter group tracked less than the moniker Doppel Spider, which leverages forked malware code formulated by Indrik Spider, together with the BitPaymer ransomware, as the foundation for its large match looking operations.
In December 2019, the U.S. Treasury Office sanctioned Evil Corp and submitted prison fees in opposition to two critical users Maksim Yakubets and Igor Turashev, in addition to asserting a $5 million reward for any facts primary to their arrests. A subsequent investigation by BBC in November 2021 tracked down the “alleged hackers residing millionaire existence, with tiny prospect of at any time getting arrested.”
The e-criminal offense gang has considering the fact that cycled via various branding modifications to their ransomware infrastructure in the intervening years to get around the sanctions, chief between them staying WastedLocker, Hades, Phoenix, PayloadBIN, Grief, and Macaw. Entropy is probable the most up-to-date addition to this list.
That mentioned, it is really also achievable that the malware operators have borrowed the code, possibly to help save progress initiatives or deliberately mislead attribution in what’s a phony flag procedure.
“In both instances, the attackers relied upon a deficiency of diligence – both targets had susceptible Windows systems that lacked latest patches and updates,” claimed Andrew Brandt, principal researcher at Sophos. “Effectively patched equipment, like the Exchange Server, would have pressured the attackers to perform tougher to make their original access into the businesses they penetrated.”
“A necessity to use multi-component authentication, experienced it been in put, would have created additional troubles for unauthorized users to log in to all those or other devices,” Brandt additional.
Identified this short article interesting? Abide by THN on Fb, Twitter and LinkedIn to study far more exceptional content material we post.
Some parts of this article are sourced from:
thehackernews.com