Cyber Crime

Sophos linked Entropy ransomware to Dridex malware. Are both linked to Evil Corp?

The code of the recently-emerged Entropy ransomware has similarities with the one of the infamous Dridex malware.

The recently-emerged Entropy ransomware has code similarities with the popular Dridex malware.

Experts from Sophos analyzed the code of Entropy ransomware employed in two distinct attacks.

“A pair of incidents at different organizations in which attackers deployed a ransomware called Entropy were preceded by infections with tools that provided the attackers with remote access — Cobalt Strike beacons and Dridex malware — on some of the targets’ computers, before the attackers launched the ransomware.” reads a report published by Sophos.

The forensic analysis conducted by researchers revealed the presence of multiple instances of the general-purpose Dridex malware which was also used to distribute other malware.

In both attacks, endpoint protection solutions detected the threat, according to the experts the anti-malware solution detected the packer code used by Entropy through a signature created to detect the packer code employed by Dridex.

SophosLabs researchers also noticed that some of the other subroutines that Entropy uses to hide its behavior were similar to those for the same functions in Dridex.

The packer used by Entropy works in two stages to decompress the program code. In a first stage it allocates the memory space where to copy the encrypted data and whose content is executed by the packer. Then, in the second stage the packer decrypts the code into another portion of the same memory allocation where it stored the encrypted data, and then transfers the execution to this second layer

“The instructions that dictate how Entropy performs the first “layer” of unpacking are similar enough to Dridex that the analyst who looked at the packer code, and in particular the portion that refers to an API called LdrLoadDll — and that subroutine’s behavior, described it as “very much like a Dridex v4 loader,” and compared it to a similar loader used by a Dridex sample from 2018.” continues the report. “The behavior in question has been highlighted in other vendors’ research about Dridex. Specifically, it is looking for a DLL named snxhk.dll, which is a memory protection component of another company’s endpoint security product, in order to sabotage that protection.”

SophosLabs also reported detections of this particular packer code on machines protected by Sophos where attackers had unsuccessfully attempted to run the DoppelPaymer ransomware.

DoppelPaymer and Dridex were both attributed to the operation of a cybercrime gang known as Evil Corp, which launched in October a new ransomware called Macaw Locker to evade US sanctions that prevent victims from making ransom payments.

The Evil Corp cybercrime group (aka the Dridex gang Indrik Spider, the Dridex gang, and TA505) has been active in cybercrime activities since 2007. The group started its operations by developing and distributing the infamous Dridex banking Trojan, then it switched to ransomware operation by infecting victims’ computer networks with the BitPaymer ransomware.

In 2019, the U.S. Department of Justice (DoJ) has charged Russian citizens Maksim V. (32) and Igor Turashev (38) for distributing the infamous Dridex banking Trojan, and for their involvement in international bank fraud and computer hacking schemes.

The US Government announced sanctions for ransomware negotiation firms that will support victims of the Evil Corp group in the ransom payments.

Due to these sanctions, Evil Corp launched several ransomware operations that employed different strains of ransomware, such as WastedLockerHadesPhoenix Locker, and PayloadBin.

The Macaw Locker was recently involved in attacks against Olympus and the Sinclair Broadcast Group.

Experts pointed out that in both attacks investigated by Sophos, the attackers targeted vulnerable Windows systems that were not updated. 

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Dridex)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

BadBox rapidly grows, 190,000 Android devices infected

Experts uncovered a botnet of 190,000 Android devices infected by BadBox bot, primarily Yandex smart…

9 hours ago

Romanian national was sentenced to 20 years in prison for his role in NetWalker ransomware attacks

Romanian national was sentenced to 20 years in prison for his role in NetWalker ransomware…

20 hours ago

Sophos fixed critical vulnerabilities in its Firewall product

Sophos fixed three Sophos Firewall flaws that could lead to SQL injection, privileged SSH access…

1 day ago

U.S. CISA adds BeyondTrust software flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds BeyondTrust Privileged Remote Access (PRA) and Remote…

2 days ago

Raccoon Infostealer operator sentenced to 60 months in prison

Raccoon Infostealer operator Mark Sokolovsky was sentenced to 60 months in US prison and ordered…

2 days ago

Mirai botnet targets SSR devices, Juniper Networks warns<gwmw style="display:none;"></gwmw>

Juniper Networks warns that a Mirai botnet is targeting SSR devices with default passwords after…

3 days ago

This website uses cookies.