Cyber Crime

Sophos linked Entropy ransomware to Dridex malware. Are both linked to Evil Corp?

The code of the recently-emerged Entropy ransomware has similarities with the one of the infamous Dridex malware.

The recently-emerged Entropy ransomware has code similarities with the popular Dridex malware.

Experts from Sophos analyzed the code of Entropy ransomware employed in two distinct attacks.

“A pair of incidents at different organizations in which attackers deployed a ransomware called Entropy were preceded by infections with tools that provided the attackers with remote access — Cobalt Strike beacons and Dridex malware — on some of the targets’ computers, before the attackers launched the ransomware.” reads a report published by Sophos.

The forensic analysis conducted by researchers revealed the presence of multiple instances of the general-purpose Dridex malware which was also used to distribute other malware.

In both attacks, endpoint protection solutions detected the threat, according to the experts the anti-malware solution detected the packer code used by Entropy through a signature created to detect the packer code employed by Dridex.

SophosLabs researchers also noticed that some of the other subroutines that Entropy uses to hide its behavior were similar to those for the same functions in Dridex.

The packer used by Entropy works in two stages to decompress the program code. In a first stage it allocates the memory space where to copy the encrypted data and whose content is executed by the packer. Then, in the second stage the packer decrypts the code into another portion of the same memory allocation where it stored the encrypted data, and then transfers the execution to this second layer

“The instructions that dictate how Entropy performs the first “layer” of unpacking are similar enough to Dridex that the analyst who looked at the packer code, and in particular the portion that refers to an API called LdrLoadDll — and that subroutine’s behavior, described it as “very much like a Dridex v4 loader,” and compared it to a similar loader used by a Dridex sample from 2018.” continues the report. “The behavior in question has been highlighted in other vendors’ research about Dridex. Specifically, it is looking for a DLL named snxhk.dll, which is a memory protection component of another company’s endpoint security product, in order to sabotage that protection.”

SophosLabs also reported detections of this particular packer code on machines protected by Sophos where attackers had unsuccessfully attempted to run the DoppelPaymer ransomware.

DoppelPaymer and Dridex were both attributed to the operation of a cybercrime gang known as Evil Corp, which launched in October a new ransomware called Macaw Locker to evade US sanctions that prevent victims from making ransom payments.

The Evil Corp cybercrime group (aka the Dridex gang Indrik Spider, the Dridex gang, and TA505) has been active in cybercrime activities since 2007. The group started its operations by developing and distributing the infamous Dridex banking Trojan, then it switched to ransomware operation by infecting victims’ computer networks with the BitPaymer ransomware.

In 2019, the U.S. Department of Justice (DoJ) has charged Russian citizens Maksim V. (32) and Igor Turashev (38) for distributing the infamous Dridex banking Trojan, and for their involvement in international bank fraud and computer hacking schemes.

The US Government announced sanctions for ransomware negotiation firms that will support victims of the Evil Corp group in the ransom payments.

Due to these sanctions, Evil Corp launched several ransomware operations that employed different strains of ransomware, such as WastedLockerHadesPhoenix Locker, and PayloadBin.

The Macaw Locker was recently involved in attacks against Olympus and the Sinclair Broadcast Group.

Experts pointed out that in both attacks investigated by Sophos, the attackers targeted vulnerable Windows systems that were not updated. 

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Dridex)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

9 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

13 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

18 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

21 hours ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

TheMoon bot infected 40,000 devices in January and February

A new variant of TheMoon malware infected thousands of outdated small office and home office…

1 day ago

This website uses cookies.