Two recent cyberattacks, impacting an unnamed North American media organization and a regional government entity, deployed the Dridex trojan on targets’ computers before launching the Entropy ransomware. After further analysis of both attacks, researchers uncovered similarities in the code of Dridex and Entropy, which they said hinted at a common origin.
While Entropy is a relatively new ransomware, Dridex is a well-known trojan targeting the Windows platform that is typically spread through malicious spam attachments. The malware has the capabilities to contact a remote server, send data about infected systems and download arbitrary modules on comments; it also frequently serves as an initial foothold in ransomware attacks.
Attackers that distribute Dridex likely employ ransomware with similar configurations, according to the Cybersecurity & Infrastructure Security Agency (CISA), which in 2019 highlighted how code for the BitPaymer ransomware includes numerous similarities to Dridex, as part of attacks that at the time used both malware families to target U.S. financial institutions.
“It’s not unheard of for malware operators to share, borrow or steal each other’s code, either to save themselves the effort of creating their own, intentionally mislead attribution or distract security researchers," said Andrew Brandt, principal researcher at Sophos in a Wednesday analysis. "This approach makes it harder to find evidence that corroborates a ‘family’ of related malware or to identify ‘false flags’ that can make attackers’ jobs easier and investigators’ jobs harder."
In the attack against the media organization, attackers exploited the known Microsoft ProxyShell vulnerability in order to install a remote shell on the victim’s Exchange server, which they used to spread Cobalt Strike beacons and several Dridex payloads onto other computers. The attackers then performed reconnaissance on the target organization for four months before launching the ransomware attack in the beginning of December. Meanwhile, the attack on the government organization was first launched via a malicious email attachment that infected the user’s computer with the Dridex malware. Attackers then used this trojan to move laterally and deliver additional malware, as well as a legitimate commercial remote access utility called ScreenConnect.
“It’s not unheard of for malware operators to share, borrow or steal each other’s code, either to save themselves the effort of creating their own, intentionally mislead attribution or distract security researchers."
“Significantly, in this second attack, only about 75 hours passed between the initial detection of a suspicious login attempt on a single machine and the attackers commencing data exfiltration from the target – installing, then using WinRAR to compress files into archives, then uploading the archives to a variety of cloud storage providers, including privatlab.com, dropmefiles.com, and mega.nz,” said Brandt. “Notably, there were significant differences in the methodologies employed by the attackers between both cases: How the attackers gained a foothold in the targets; the time the attackers spent inside the target’s network; and the malware that was used to prepare the final phase of the attack were substantially different.”
Attackers in both incidents used freely-available commercial tools, including the Windows Sysinternals tools PSExec and PSKill, as well as AdFind, a utility designed to let IT admins query Active Directory servers. WinRAR, the free compression utility, was also used to package collections of stolen data, which were then uploaded to a variety of cloud storage providers using the Chrome browser.
“These tactics are, unfortunately, quite common among ransomware threat actors,” said Brandt. “Endpoint protection tools don’t typically block the use of these and other utility programs since they do have legitimate uses.”
Further analysis of both attacks revealed several similarities between the Dridex malware and Entropy ransomware used in these attacks. The packer code used to protect the Entropy ransomware was picked up by a detection signature (Mal/EncPk-APX) that analysts had previously created to detect the packer code employed by Dridex. Researchers also discovered that some of the subroutines the ransomware uses for obfuscation and anti-analysis were “reminiscent” of subroutines used in Dridex - “though not conclusively, and not without a lot of effort to strip away other obfuscations that complicated the code-comparison process.” These included a subroutine used to encode encrypted strings embedded in the malware and another subroutine used to resolve API calls. Both Dridex and Entropy also use an anti-analysis process called Vectored Exception Handler (VEH) that sets up an alternate way for the program to invoke API calls in the operating systems, making it more difficult for analysts to see what the code is doing for any given instruction.
In both incidents, Brandt said that attackers relied upon "a lack of diligence" by organizations, as both victims had vulnerable Windows systems that lacked current patches and updates.
“Properly patched machines, like the Exchange server, would have forced the attackers to work harder to make their initial access into the organizations they penetrated,” said Brandt. “A requirement to use multifactor authentication, had it been in place, would have created further challenges for unauthorized users to log in to those or other machines.”