Similarities have been unearthed between the Dridex general-purpose malware and a little-known ransomware strain called Entropy, suggesting that the operators are continuing to rebrand their extortion operations under a different name.
"The similarities are in the software packer used to conceal the ransomware code, in the malware subroutines designed to find and obfuscate commands (API calls), and in the subroutines used to decrypt encrypted text," cybersecurity firm Sophos said in a report shared with The Hacker News.
The commonalities were uncovered following two unrelated incidents targeting an unnamed media company and a regional government agency. In both cases, the deployment of Entropy was preceded by infecting the target networks with Cobalt Strike Beacons and Dridex, granting the attackers remote access.
Despite consistency in some aspects of the twin attacks, they also varied significantly with regards to the initial access vector used to worm their way inside the networks, the length of time spent in each of the environments, and the malware employed to launch the final phase of the invasion.
The attack on the media organization used the ProxyShell exploit to strike a vulnerable Exchange Server with the goal of installing a web shell that, in turn, was utilized to spread Cobalt Strike Beacons on the network. The adversary is said to have spent four months carrying out reconnaissance and data theft, ultimately paving the way for the ransomware attack in early December 2021.
The second attack on the regional government organization, on the other hand, was facilitated through a malicious email attachment containing the Dridex malware, using it to deploy additional payloads for lateral movement.
Notably, redundant exfiltration of sensitive data to more than one cloud storage provider – in the form of compressed RAR archives – transpired within 75 hours after the initial detection of a suspicious login attempt on a single machine, prior to encrypting the files on the compromised computers.
Entropy Ransomware Note |
Besides using legitimate tools such as AdFind, PsExec, and PsKill to carry out the attacks, the correlation between Dridex and Entropy samples with that of previous DoppelPaymer ransomware infections has raised the possibility of a "common origin."
It's worth pointing out the web of connections between the different pieces of malware. The Dridex trojan, an information-stealing botnet, is known to be the handiwork of a prolific Russia-based cybercrime group called Indrik Spider (aka Evil Corp).
DoppelPaymer is attributed to a splinter group tracked under the moniker Doppel Spider, which leverages forked malware code developed by Indrik Spider, including the BitPaymer ransomware, as the foundation for its big game hunting operations.
Image Source: SentinelOne Labs |
In December 2019, the U.S. Treasury Department sanctioned Evil Corp and filed criminal charges against two key members Maksim Yakubets and Igor Turashev, in addition to announcing a $5 million reward for any information leading to their arrests. A subsequent investigation by BBC in November 2021 tracked down the "alleged hackers living millionaire lifestyles, with little chance of ever being arrested."
The e-crime gang has since cycled through numerous branding changes to their ransomware infrastructure in the intervening years to get around the sanctions, chief among them being WastedLocker, Hades, Phoenix, PayloadBIN, Grief, and Macaw. Entropy is likely the latest addition to this list.
That said, it's also possible that the malware operators have borrowed the code, either to save development efforts or deliberately mislead attribution in what's a false flag operation.
"In both cases, the attackers relied upon a lack of diligence – both targets had vulnerable Windows systems that lacked current patches and updates," said Andrew Brandt, principal researcher at Sophos. "Properly patched machines, like the Exchange Server, would have forced the attackers to work harder to make their initial access into the organizations they penetrated."
"A requirement to use multi-factor authentication, had it been in place, would have created further challenges for unauthorized users to log in to those or other machines," Brandt added.
If anything, the findings demonstrate that the Evil Corp cluster continues to advance their tradecraft despite the sanctions, constantly updating their payload signatures, exploitation tools and methods of initial access in order to confuse attribution and stay under the radar.
Indeed, researchers from SentinelOne, in a standalone analysis, called out the "evolutionary" links, citing near-identical configuration, implementation, and functionality between successive variants of the ransomware, with the file-encrypting malware concealed using a packer called CryptOne.
"While there are some observed similarities, there is not currently enough corroborated evidence to directly tie Entropy to Evil Corp and the greater, historical, operation," Antonio Pirozzi, SentinelOne's senior threat intelligence researcher, told The Hacker News. "Based on the information available at this time, we are treating them as different entities."