Investigations of two recent incidents have thrown up new clues alluding to intensified cybercriminal cooperation and obfuscation techniques.
While investigating two incidents where attackers had used Dridex bots to deliver the obscure Entropy ransomware, cyber researchers found code similarities showing that cybercriminals are intensifying collaborative efforts to pool resources and also to make investigators’ jobs tougher.
In one of the attacks, adversaries used the ProxyShell exploit to target a vulnerable Exchange server to install a remote shell they later leveraged to spread Cobalt Strike beacons to other computers. The attackers were in the network for four months before launching Entropy at the beginning of December 2021.
In the other attack, the target was infected through a malicious email attachment. The attackers then used Dridex to deliver additional malware and move laterally within the target’s network. Approximately 75 hours after the initial detection of a suspicious login attempt on a single machine, the attackers started to steal data and move it to a series of cloud providers.
What the forensics show
The code similarities were found in the software packer used to conceal the ransomware code; in the malware subroutines designed to find and obfuscate commands (API calls); and in the subroutines used to decrypt encrypted text.
The two attacks involved the use of specially crafted, customized versions of the Entropy ransomware dynamic link library with the target’s name embedded in the ransomware code. The attackers also deployed Cobalt Strike on some of the targets’ computers and exfiltrated data to cloud storage providers using a legitimate compression tool, before launching the ransomware on unprotected computers.
According to Andrew Brandt, Principal Researcher, Sophos, which released the findings: “This approach makes it harder to find evidence that corroborates a ‘family’ of related malware or to identify ‘false flags’ that can make attackers’ jobs easier and investigators’ jobs harder. In this analysis, we focused on aspects of the code that both Dridex and Entropy apparently used to make forensic analysis more challenging, and found that the subroutines in both malware have a fundamentally similar code flow and logic.”
The investigation found that in both cases, attackers were able to take advantage of unpatched and vulnerable Windows systems and to abuse legitimate software utilities.