Select Page

Similarities have been unearthed between the Dridex general-purpose malware and a little-known ransomware strain called Entropy, suggesting that the operators are continuing to rebrand their extortion operations under a different name.

“The similarities are in the software packer used to conceal the ransomware code, in the malware subroutines designed to find and obfuscate commands (API calls), and in the subroutines used to decrypt encrypted text,” cybersecurity firm Sophos said in a report shared with The Hacker News.

The commonalities were uncovered following two unrelated incidents targeting an unnamed media company and a regional government agency. In both cases, the deployment of Entropy was preceded by infecting the target networks with Cobalt Strike Beacons and Dridex, granting the attackers remote access.

Despite consistency in some aspects of the twin attacks, they also varied significantly with regards to the initial access vector used to worm their way inside the networks, the length of time spent in each of the environments, and the malware employed to launch the final phase of the invasion.

The attack on the media organization used the ProxyShell exploit to strike a vulnerable Exchange Server with the goal of installing a web shell that, in turn, was utilized to spread Cobalt Strike Beacons on the network. The adversary is said to have spent four months carrying out reconnaissance and data theft, ultimately paving the way for the ransomware attack in early December 2021.

The second attack on the regional government organization, on the other hand, was facilitated through a malicious email attachment containing the Dridex malware, using it to deploy additional payloads for lateral movement.

Notably, redundant exfiltration of sensitive data to more than one cloud storage provider – in the form of compressed RAR archives – transpired within 75 hours after the initial detection of a suspicious login attempt on a single machine, prior to encrypting the files on the compromised computers.

images from Hacker News