Cyber Crime

Sophos linked Entropy ransomware to Dridex malware. Are both linked to Evil Corp?

The code of the recently-emerged Entropy ransomware has similarities with the one of the infamous Dridex malware.

The recently-emerged Entropy ransomware has code similarities with the popular Dridex malware.

Experts from Sophos analyzed the code of Entropy ransomware employed in two distinct attacks.

“A pair of incidents at different organizations in which attackers deployed a ransomware called Entropy were preceded by infections with tools that provided the attackers with remote access — Cobalt Strike beacons and Dridex malware — on some of the targets’ computers, before the attackers launched the ransomware.” reads a report published by Sophos.

The forensic analysis conducted by researchers revealed the presence of multiple instances of the general-purpose Dridex malware which was also used to distribute other malware.

In both attacks, endpoint protection solutions detected the threat, according to the experts the anti-malware solution detected the packer code used by Entropy through a signature created to detect the packer code employed by Dridex.

SophosLabs researchers also noticed that some of the other subroutines that Entropy uses to hide its behavior were similar to those for the same functions in Dridex.

The packer used by Entropy works in two stages to decompress the program code. In a first stage it allocates the memory space where to copy the encrypted data and whose content is executed by the packer. Then, in the second stage the packer decrypts the code into another portion of the same memory allocation where it stored the encrypted data, and then transfers the execution to this second layer

“The instructions that dictate how Entropy performs the first “layer” of unpacking are similar enough to Dridex that the analyst who looked at the packer code, and in particular the portion that refers to an API called LdrLoadDll — and that subroutine’s behavior, described it as “very much like a Dridex v4 loader,” and compared it to a similar loader used by a Dridex sample from 2018.” continues the report. “The behavior in question has been highlighted in other vendors’ research about Dridex. Specifically, it is looking for a DLL named snxhk.dll, which is a memory protection component of another company’s endpoint security product, in order to sabotage that protection.”

SophosLabs also reported detections of this particular packer code on machines protected by Sophos where attackers had unsuccessfully attempted to run the DoppelPaymer ransomware.

DoppelPaymer and Dridex were both attributed to the operation of a cybercrime gang known as Evil Corp, which launched in October a new ransomware called Macaw Locker to evade US sanctions that prevent victims from making ransom payments.

The Evil Corp cybercrime group (aka the Dridex gang Indrik Spider, the Dridex gang, and TA505) has been active in cybercrime activities since 2007. The group started its operations by developing and distributing the infamous Dridex banking Trojan, then it switched to ransomware operation by infecting victims’ computer networks with the BitPaymer ransomware.

In 2019, the U.S. Department of Justice (DoJ) has charged Russian citizens Maksim V. (32) and Igor Turashev (38) for distributing the infamous Dridex banking Trojan, and for their involvement in international bank fraud and computer hacking schemes.

The US Government announced sanctions for ransomware negotiation firms that will support victims of the Evil Corp group in the ransom payments.

Due to these sanctions, Evil Corp launched several ransomware operations that employed different strains of ransomware, such as WastedLockerHadesPhoenix Locker, and PayloadBin.

The Macaw Locker was recently involved in attacks against Olympus and the Sinclair Broadcast Group.

Experts pointed out that in both attacks investigated by Sophos, the attackers targeted vulnerable Windows systems that were not updated. 

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Dridex)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

A cyber attack hit Iranian government sites and nuclear facilities

As Middle East tensions rise, cyberattacks hit Iran’s government branches and nuclear facilities, following Israel's…

13 hours ago

Ransomware operators exploited Veeam Backup & Replication flaw CVE-2024-40711 in recent attacks

Sophos reports ransomware operators are exploiting a critical code execution flaw in Veeam Backup &…

22 hours ago

GitLab fixed a critical flaw that could allow arbitrary CI/CD pipeline execution

GitLab issued updates for CE and EE to address multiple flaws, including a critical bug…

1 day ago

Iran and China-linked actors used ChatGPT for preparing attacks

OpenAI disrupted 20 cyber and influence operations in 2023, revealing Iran and China-linked actors used…

2 days ago

Internet Archive data breach impacted 31M users

The Internet Archive disclosed a data breach, the security incident impacted more than 31 million…

2 days ago

E-skimming campaign uses Unicode obfuscation to hide the Mongolian Skimmer

Jscrambler researchers found a skimming campaign using unique JavaScript obfuscation with accented characters to hide…

3 days ago

This website uses cookies.