The general-purpose Dridex botnet was recently used to deliver Entropy ransomware on a media company and a regional government agency.
While investigating these two attacks, researchers from the cybersecurity company Sophos found similarities in Dridex botnet and Entropy ransomware. Attackers used specially crafted, customized versions of the Entropy ransomware dynamic link library (DLL) with the target’s name embedded in the ransomware code.
In its latest blog post, Sophos also detailed that threat actors deployed Cobalt Strike on some of the targets’ computers and exfiltrated data to cloud storage providers using the legitimate WinRAR compression tool before launching the ransomware on unprotected computers.
“It’s not unheard of for malware operators to share, borrow or steal each other’s code, either to save themselves the effort of creating their own, intentionally mislead attribution, or distract security researchers. This approach makes it harder to find evidence that corroborates a ‘family’ of related malware or to identify ‘false flags’ that can make attackers’ jobs easier and investigators’ jobs harder,” Andrew Brandt, principal researcher at Sophos, is quoted in a press release.
The researchers focused on aspects of the code that both Dridez and Entropy used, Brandt claimed, to make forensic analysis more challenging.
“These include the packer code, which prevents easy static analysis of the underlying malware, a subroutine that the programs use to conceal the command (API) calls they make, and a subroutine that decrypts encrypted text strings embedded within the malware. The researchers found that the subroutines in both malware have a fundamentally similar code flow and logic.”
Sophos also noticed some differences. In the attack on the media organization, threat actors exploited a vulnerable Exchange server using the ProxyShell exploit. Attackers exploited a remote shell and leveraged it to spread Cobalt Strike beacons to other computers. The attackers were in the network for four months before launching Entropy.
In the attack on the regional government organization, cybercriminals spread Dridex malware through a malicious email attachment.
“The attackers then used Dridex to deliver additional malware and move laterally within the target’s network. The incident analysis shows that approximately 75 hours after the initial detection of a suspicious login attempt on a single machine, the attackers started to steal data and move it to a series of cloud providers,” Sophos detailed.
Researchers highlighted the importance of patching as attackers continue taking advantage of outdated and vulnerable Windows systems.
More from Cybernews:
Subscribe to our newsletter