HomeUpdateThese two gangs are similar in work pattern yet different process

These two gangs are similar in work pattern yet different process

-

Last Updated on 23/02/2022 by Nidhi Khandelwal

Similarities have been discovered between the Dridex general-purpose malware and the Entropy ransomware strain, implying that the operators are continuing to rebrand their extortion operations under a different name.

These two gangs are similar in work pattern yet different process 1

Following two unconnected incidents targeting an undisclosed media organization and a regional government agency, the similarities were discovered. In all incidents, the attackers gained remote access to the target networks by infecting them with Cobalt Strike Beacons and Dridex before deploying Entropy.

Despite some similarities, the twin attacks differed greatly in terms of the initial access vector used to worm their way inside the networks, the length of time spent in each environment, and the malware utilized to initiate the final phase of the invasion.

The attack on the media company employed the ProxyShell vulnerability to infect a vulnerable Exchange Server with a web shell, which was then used to deploy Cobalt Strike Beacons throughout the network. The attacker is alleged to have spent four months doing reconnaissance and data theft before launching the ransomware attack in early December 2021.

These two gangs are similar in work pattern yet different process 2

The second attack on the regional government agency was made possible via a malicious email attachment carrying the Dridex virus, which was used to distribute additional payloads for lateral movement.

Notably, prior to encrypting the files on the hacked machines, redundant exfiltration of sensitive data to more than one cloud storage provider – in the form of compressed RAR archives – occurred within 75 hours of the initial discovery of a suspicious login attempt on a single machine.

Nidhi Khandelwal
Nidhi Khandelwal
Nidhi is a tech news/research contributor at TheDigitalHacker. She publishes about techno geopolitics, privacy, and data breach.
- Advertisment -

Must Read

This is how Russia is being punished for the war

0
The developer of the popular "node-ipc" NPM package published a new modified version to denounce Russia's invasion of Ukraine, sparking concerns about open-source and...