Similarities have been unearthed between the Dridex general-purpose malware and a little-known ransomware strain called Entropy, suggesting that the operators are continuing to rebrand their extortion operations under a different name.
“The similarities are in the software packer used to conceal the ransomware code, in the malware subroutines designed to find and obfuscate commands (API calls), and in the subroutines used to decrypt encrypted text,” cybersecurity firm Sophos said in a report shared with The Hacker News.
The commonalities were uncovered following two unrelated incidents targeting an unnamed media company and a regional government agency. Both cases involved Entropy deployment. The attackers gained remote access to the targets’ networks by infecting them with Dridex and Cobalt Strike Beacons.
Despite consistency in some aspects of the twin attacks, they also varied significantly with regards to the initial access vector used to worm their way inside the networks, the length of time spent in each of the environments, and the malware employed to launch the final phase of the invasion.
The attack on the media organization used the ProxyShell exploit to strike a vulnerable Exchange Server with the goal of installing a web shell that, in turn, was utilized to spread Cobalt Strike Beacons on the network. The adversary is said to have spent four months carrying out reconnaissance and data theft, ultimately paving the way for the ransomware attack in early December 2021.
The second attack against the regional government was carried out through an email attachment that contained the Dridex malware. It was used to launch additional payloads in order to facilitate lateral movement.
Notably, redundant exfiltration of sensitive data to more than one cloud storage provider – in the form of compressed RAR archives – transpired within 75 hours after the initial detection of a suspicious login attempt on a single machine, prior to encrypting the files on the compromised computers.
|Entropy Ransomware Note|
Besides using legitimate tools such as AdFind, PsExec, and PsKill to carry out the attacks, the correlation between Dridex and Entropy samples with that of previous DoppelPaymer ransomware infections has raised the possibility of a “common origin. “
It’s worthwhile to point out the interconnectedness of the various pieces of malware. The Dridex trojan, an information-stealing botnet, is known to be the handiwork of a prolific Russia-based cybercrime group called Indrik Spider (aka Evil Corp).
DoppelPaymer is attributed to a splinter group tracked under the moniker Doppel Spider, which leverages forked malware code developed by Indrik Spider, including the BitPaymer ransomware, as the foundation for its big game hunting operations.
In December 2019, the U.S. Treasury Department sanctioned Evil Corp and filed criminal charges against two key members Maksim Yakubets and Igor Turashev, in addition to announcing a $5 million reward for any information leading to their arrests. A subsequent investigation by BBC in November 2021 tracked down the “alleged hackers living millionaire lifestyles, with little chance of ever being arrested. “
The e-crime gang has since cycled through numerous branding changes to their ransomware infrastructure in the intervening years to get around the sanctions, chief among them being WastedLocker, Hades, Phoenix, PayloadBIN, Grief, and Macaw. This list is most likely to include Entropy.
It’s possible, however, that malware operators may have copied the code to either save time or intentionally mislead developers.
The findings demonstrate that the Evil Corp cluster continues to advance their tradecraft despite the sanctions, constantly updating their payload signatures, exploitation tools and methods of initial access in order to confuse attribution and stay under the radar.
Indeed, researchers from SentinelOne, in a standalone analysis, called out the “evolutionary” links, citing near-identical configuration, implementation, and functionality between successive variants of the ransomware, with the file-encrypting malware concealed using a packer called CryptOne.
“In both cases, the attackers relied upon a lack of diligence – both targets had vulnerable Windows systems that lacked current patches and updates,” said Andrew Brandt, principal researcher at Sophos. “Properly patched machines, like the Exchange Server, would have forced the attackers to work harder to make their initial access into the organizations they penetrated. “
” A requirement for multi-factor authentication would have made it more difficult for unauthorised users to log on to these or other machines, Brandt said.