Pierluigi Paganini
February 23, 2022
The recently-emerged Entropy ransomware has code similarities with the popular Dridex malware.
Experts from Sophos analyzed the code of Entropy ransomware employed in two distinct attacks.
“A pair of incidents at different organizations in which attackers deployed a ransomware called Entropy were preceded by infections with tools that provided the attackers with remote access — Cobalt Strike beacons and Dridex malware — on some of the targets’ computers, before the attackers launched the ransomware.” reads a report published by Sophos.
The forensic analysis conducted by researchers revealed the presence of multiple instances of the general-purpose Dridex malware which was also used to distribute other malware.
In both attacks, endpoint protection solutions detected the threat, according to the experts the anti-malware solution detected the packer code used by Entropy through a signature created to detect the packer code employed by Dridex.
SophosLabs researchers also noticed that some of the other subroutines that Entropy uses to hide its behavior were similar to those for the same functions in Dridex.
The packer used by Entropy works in two stages to decompress the program code. In a first stage it allocates the memory space where to copy the encrypted data and whose content is executed by the packer. Then, in the second stage the packer decrypts the code into another portion of the same memory allocation where it stored the encrypted data, and then transfers the execution to this second layer
“The instructions that dictate how Entropy performs the first “layer” of unpacking are similar enough to Dridex that the analyst who looked at the packer code, and in particular the portion that refers to an API called LdrLoadDll — and that subroutine’s behavior, described it as “very much like a Dridex v4 loader,” and compared it to a similar loader used by a Dridex sample from 2018.” continues the report. “The behavior in question has been highlighted in other vendors’ research about Dridex. Specifically, it is looking for a DLL named snxhk.dll, which is a memory protection component of another company’s endpoint security product, in order to sabotage that protection.”
SophosLabs also reported detections of this particular packer code on machines protected by Sophos where attackers had unsuccessfully attempted to run the DoppelPaymer ransomware.
DoppelPaymer and Dridex were both attributed to the operation of a cybercrime gang known as Evil Corp, which launched in October a new ransomware called Macaw Locker to evade US sanctions that prevent victims from making ransom payments.
The Evil Corp cybercrime group (aka the Dridex gang Indrik Spider, the Dridex gang, and TA505) has been active in cybercrime activities since 2007. The group started its operations by developing and distributing the infamous Dridex banking Trojan, then it switched to ransomware operation by infecting victims’ computer networks with the BitPaymer ransomware.
In 2019, the U.S. Department of Justice (DoJ) has charged Russian citizens Maksim V. (32) and Igor Turashev (38) for distributing the infamous Dridex banking Trojan, and for their involvement in international bank fraud and computer hacking schemes.
The US Government announced sanctions for ransomware negotiation firms that will support victims of the Evil Corp group in the ransom payments.
Due to these sanctions, Evil Corp launched several ransomware operations that employed different strains of ransomware, such as WastedLocker, Hades, Phoenix Locker, and PayloadBin.
The Macaw Locker was recently involved in attacks against Olympus and the Sinclair Broadcast Group.
Experts pointed out that in both attacks investigated by Sophos, the attackers targeted vulnerable Windows systems that were not updated.
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Dridex)
[adrotate banner=”5″]
[adrotate banner=”13″]
