Dridex, a general-purpose malware, and Entropy, a less known ransomware strain, share similarities as a result of operators playing with names in their extortion campaign.
“The similarities are in the software packer used to conceal the ransomware code, in the malware subroutines designed to find and obfuscate commands (API calls), and in the subroutines used to decrypt encrypted text,” cybersecurity firm Sophos said in a report shared with The Hacker News.
The similarities were noticed due to two unrelated attacks, one targeted an unknown media company, and another targeted a regional government agency. In both attacks, infecting the target networks with Cobalt Strike beacons and Dridex, which granted attackers remote access, was followed by planting Entropy.
Although both attacks had some similarities, they differed when the initial access vector used for gaining entry into the networks, time taken in each environment, and the malware planted to carry out the final attack phase were considered.
The media attack used the Proxyshell exploit to attack a vulnerable exchange server to install a web shell to spread Cobalt Strike beacons. The adversary reconnaissance and pilfered data for 4 months before a ransomware attack in December 2021.
In contrast, the second attack on the regional government used a malicious email attachment having the Dridex malware for planting additional payloads for lateral movement.
Data was exfiltrated to several cloud storage providers—RAR archives form— within 75 hours of the initial identification of a suspicious login attempt on a machine before encrypting the files on the affected computers.
Apart from using legitimate tools like AdFind, PsExec, and PsKill to execute the attacks, the link between Dridex and Entropy samples and an earlier DoppelPaymer ransomware infection has pointed to a “common roots” possibility.
It’s worth pointing out the web of connections between the different pieces of malware. The Dridex Trojan, an information-stealing botnet, is known to be the handiwork of a prolific Russia-based cybercrime group called Indrik Spider (aka Evil Corp).
DoppelPaymer is traced to a splinter group kown Doppel Spider, moniker. The group used forked malware code created by Indrik Spider, including the BitPaymer ransomware, as the cornerstone for its larger game hunting campaigns.
“In December 2019, the U.S. Treasury Department sanctioned Evil Corp and filed criminal charges against two key members Maksim Yakubets and Igor Turashev, in addition to announcing a $5 million reward for any information leading to their arrests. A subsequent investigation by BBC in November 2021 tracked down the “alleged hackers living millionaire lifestyles, with little chance of ever being arrested.”