Share this article on:
Sophos released new research, Dridex Bots Deliver Entropy in Recent Attacks, that details code similarities in the general purpose Dridex botnet and the little-known ransomware Entropy.
The similarities are in the software packer used to conceal the ransomware code, in the malware subroutines designed to find and obfuscate commands (API calls), and in the subroutines used to decrypt encrypted text.
Sophos uncovered the similarities while investigating two incidents where attackers used Dridex to deliver Entropy ransomware. These attacks targeted a media company and a regional government agency, using specially crafted, customised versions of the Entropy ransomware dynamic link library (DLL) with the target's name embedded in the ransomware code.
In both attacks, the malicious actors also deployed Cobalt Strike on some of the targets' computers and exfiltrated data to cloud storage providers using the legitimate WinRAR compression tool, before launching the ransomware on unprotected computers.
It's not unheard of for malware operators to share, borrow or steal each other's code, either to save themselves the effort of creating their own, intentionally mislead attribution or distract security researchers, according to Andrew Brandt, principal researcher at Sophos.
"This approach makes it harder to find evidence that corroborates a 'family' of related malware or to identify 'false flags' that can make attackers' jobs easier and investigators' jobs harder.
"In this analysis, Sophos focused on aspects of the code that both Dridex and Entropy apparently used to make forensic analysis more challenging.
"These include the packer code, which prevents easy static analysis of the underlying malware, a subroutine that the programs use to conceal the command (API) calls they make, and a subroutine that decrypts encrypted text strings embedded within the malware. The researchers found that the subroutines in both malware have a fundamentally similar code flow and logic," Brandt said.
In addition to finding similarities in the code, Sophos researchers also found some notable differences. In the attack on the media organisation, the adversaries used the ProxyShell exploit to target a vulnerable Exchange server to install a remote shell they later leveraged to spread Cobalt Strike beacons to other computers. The attackers were in the network for four months before launching Entropy at the beginning of December 2021.
In the attack on the regional government organisation, the target was infected with Dridex malware through a malicious email attachment. The attackers then used Dridex to deliver additional malware and move laterally within the target's network. The incident analysis shows that approximately 75 hours after the initial detection of a suspicious login attempt on a single machine, the attackers started to steal data and move it to a series of cloud providers.
The investigation found that in both cases, the attackers were able to take advantage of unpatched and vulnerable Windows systems and abuse legitimate tools. Regular security patching and the active investigation of suspicious alerts by threat hunters and security operations teams will help to make it harder for attackers to gain initial access to a target and deploy malicious code.
[Related: Survey finds 45% of organisations deployed EPM solution to boost security]
Nastasha is a Journalist at Momentum Media, she reports extensively across veterans affairs, cyber security and geopolitics in the Indo-Pacific. She is a co-author of a book titled The Stories Women Journalists Tell, published by Penguin Random House. Previously, she was a Content Producer at Verizon Media, a Digital Producer for Yahoo! and Channel 7, a Digital Journalist at Sky News Australia, as well as a Website Manager and Digital Producer at SBS Australia. Nastasha started her career in media as a Video Producer and Digital News Presenter at News Corp Australia.