Last Updated on 23/02/2022 by Nidhi Khandelwal
Similarities have been discovered between the Dridex general-purpose malware and the Entropy ransomware strain, implying that the operators are continuing to rebrand their extortion operations under a different name.
Following two unconnected incidents targeting an undisclosed media organization and a regional government agency, the similarities were discovered. In all incidents, the attackers gained remote access to the target networks by infecting them with Cobalt Strike Beacons and Dridex before deploying Entropy.
Despite some similarities, the twin attacks differed greatly in terms of the initial access vector used to worm their way inside the networks, the length of time spent in each environment, and the malware utilized to initiate the final phase of the invasion.
The attack on the media company employed the ProxyShell vulnerability to infect a vulnerable Exchange Server with a web shell, which was then used to deploy Cobalt Strike Beacons throughout the network. The attacker is alleged to have spent four months doing reconnaissance and data theft before launching the ransomware attack in early December 2021.
The second attack on the regional government agency was made possible via a malicious email attachment carrying the Dridex virus, which was used to distribute additional payloads for lateral movement.
Notably, prior to encrypting the files on the hacked machines, redundant exfiltration of sensitive data to more than one cloud storage provider – in the form of compressed RAR archives – occurred within 75 hours of the initial discovery of a suspicious login attempt on a single machine.