The recently found Entropy ransomware has coding similarities to the Dridex malware, which started out as a banking trojan. After two Entropy cybercrimes on different firms, researchers were able to establish a bond between the different pieces of malware.
Sophos principal researcher Andrew Brandt claimed in a new study detection signature designed to detect Dridex which prompted a closer look into the Entropy virus, both of the target businesses had gadgets were unprotected. Despite the characteristic for recognizing the Dridex packer code, endpoint protection measures blocked the attack, which was started by identifying the Entropy packer code.
In all incidents, the attackers gained remote access to the target networks by infecting them with Cobalt Strike Beacons and Dridex before deploying Entropy. Despite some similarities, the twin attacks differed greatly in terms of the initial access point used to parasite its path within the networks, the period invested in each environment, and the malware utilized to initiate the final stage of the invasion.
The attack on the media company employed the ProxyShell vulnerability to infect a vulnerable Exchange Server with a web shell, which was then used to deploy Cobalt Strike Beacons throughout the network. The attacker is alleged to have spent four months doing espionage and data theft before launching the cyberattack in December 2021. The second attack on the provincial government agency was made possible via a malicious email attachment carrying the Dridex virus.
Notably, prior to encryption of the files on the hacked machines, redundant exfiltration of confidential documents to more than just one cloud storage service – in the form of packed RAR archives – occurred within 75 hours of the initial discovery of a suspect login session on a single machine. Apart from employing respectable tools like AdFind, PsExec, and PsKill, the resemblance between Dridex and Entropy samples and past DoppelPaymer extortion infections has raised the likelihood of a "similar origin."
The network of links between the various types of malware is worth mentioning; the Dridex malware, an information-stealing botnet, is thought to be the product of Indrik Spider, a well-known Russian cybercrime outfit Evil Corp.
The Evil Corp cluster continues to improve its tradecraft, continually altering payload signatures, exploitation tools, and initial access methods to mislead attribution. SentinelOne researchers identified the "evolutionary" ties in a standalone analysis, claiming nearly identical design, implementation, and functionality amongst various iterations of the malware, with the file-encrypting malware buried using a packer named CryptOne.
"The attackers took advantage of a lack of attention in both situations - both targets had vulnerable Windows PCs which were missing relevant patches and updates," said Andrew Brandt, chief researcher at Sophos. Attackers would have had to work harder to gain first access into the Exchange Server if it had been patched properly.