Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Beacon. Show all posts

Entropy Ransomware Connected to Dridex Malware, as per Sophos

 

The recently found Entropy ransomware has coding similarities to the Dridex malware, which started out as a banking trojan. After two Entropy cybercrimes on different firms, researchers were able to establish a bond between the different pieces of malware. 

Sophos principal researcher Andrew Brandt claimed in a new study detection signature designed to detect Dridex which prompted a closer look into the Entropy virus, both of the target businesses had gadgets were unprotected. Despite the characteristic for recognizing the Dridex packer code, endpoint protection measures blocked the attack, which was started by identifying the Entropy packer code.

In all incidents, the attackers gained remote access to the target networks by infecting them with Cobalt Strike Beacons and Dridex before deploying Entropy. Despite some similarities, the twin attacks differed greatly in terms of the initial access point used to parasite its path within the networks, the period invested in each environment, and the malware utilized to initiate the final stage of the invasion. 

The attack on the media company employed the ProxyShell vulnerability to infect a vulnerable Exchange Server with a web shell, which was then used to deploy Cobalt Strike Beacons throughout the network. The attacker is alleged to have spent four months doing espionage and data theft before launching the cyberattack in December 2021. The second attack on the provincial government agency was made possible via a malicious email attachment carrying the Dridex virus.

Notably, prior to encryption of the files on the hacked machines, redundant exfiltration of confidential documents to more than just one cloud storage service – in the form of packed RAR archives – occurred within 75 hours of the initial discovery of a suspect login session on a single machine. Apart from employing respectable tools like AdFind, PsExec, and PsKill, the resemblance between Dridex and Entropy samples and past DoppelPaymer extortion infections has raised the likelihood of a "similar origin."

The network of links between the various types of malware is worth mentioning; the Dridex malware, an information-stealing botnet, is thought to be the product of Indrik Spider, a well-known Russian cybercrime outfit  Evil Corp. 

The Evil Corp cluster continues to improve its tradecraft, continually altering payload signatures, exploitation tools, and initial access methods to mislead attribution. SentinelOne researchers identified the "evolutionary" ties in a standalone analysis, claiming nearly identical design, implementation, and functionality amongst various iterations of the malware, with the file-encrypting malware buried using a packer named CryptOne. 

"The attackers took advantage of a lack of attention in both situations - both targets had vulnerable Windows PCs which were missing relevant patches and updates," said Andrew Brandt, chief researcher at Sophos. Attackers would have had to work harder to gain first access into the Exchange Server if it had been patched properly.

Linux Implementation of Cobalt Strike Beacon Employed by Hackers in Attacks Worldwide

 

Security experts have detected an unauthorized version of the Cobalt Strike Beacon Linux created by malicious attackers that are actively utilized to attack organizations worldwide. Cobalt Strike is a legal penetration testing tool built for the red-team attacking infrastructure (security organizations that function as attackers to detect the security and flaws in the infrastructure of their org). 

Cobalt Strike is often utilized for post-exploitation duties by malicious attackers (often dropped in ransomware campaigns) following the planting of so-called beacons that give permanent remote access to affected machines. Employing beacons, attackers may access compromised servers for the collection of data or distribute additional payloads of malware afterward. 

Over time, the cybercriminals acquired split copies of the Cobalt Strike and circulated this as one of the most prevalent instruments of cybersecurity threats culminating in theft and extortion of information. Cobalt Strike, however, has always had a problem - it enables only Windows devices and therefore does not contain Linux beacons. 

Further, as per a new analysis by the security company Intezer, scientists describe exactly how the threat actors have chosen to construct their cobalt strike-compatible Linux beacons. Malicious actors may now maintain and execute remote control over both Windows and Linux devices by utilizing these beacons. 

The undiscovered variant — dubbed "Vermilion Strike" — of the penetration testing program is one of the uncommon Linux ports, typically a Windows-based red team instrument which is heavily used by opponents to launch a range of specific attacks. As a threat simulation software, Cobalt Strike claims to be Beacon's payload designed to simulate a sophisticated actor and to double their post-exploitation behaviors. 

"The stealthy sample uses Cobalt Strike's command-and-control (C2) protocol when communicating to the C2 server and has remote access capabilities such as uploading files, running shell commands, and writing to files," Intezer researchers said in a report. 

Once installed, the malware starts the operation in the background, decoding the required configuration for the beacon to operate effectively just before the fingerprint identification of the Linux-compromised device and communicating to a remote server via DNS or HTTP to recover base64 encoded and AES-encrypted commands, to write files and upload them back to the webserver. 

"Vermilion Strike and other Linux threats remain a constant threat. The predominance of Linux servers in the cloud and its continued rise invites APTs to modify their toolsets to navigate the existing environment," the researchers said.