The cybersecurity researchers of Sophos have recently found some similarities between Dridex malware and a recently emerged Entropy ransomware. In short, threat actors are using the Dridex malware to deliver Entropy ransomware to target the Microsoft Exchange server and computers.
It has been claimed that the ransomware reveals all code-level similarities, and the threat actors are continuing to rebrand their extortion operation with different names.
The similarities that have been found are in the software packer that is used to conceal the ransomware code.
Dridex Code Used in Entropy Ransomware
After a proper investigation, the main analyst of Sophos Andrew Brandt remarked that the more in-depth investigation of Entropy malware was detected through signature which has been specifically created for catching Dridex.
Luckily the systems that are running have eventually stopped the attack, though the victim organization had unprotected machines.
Not only this during their analysis the experts have noted that Entropy ransomware relies upon some associates so that they can hide all its distribution that was similar to the Dridex.
The Behavior of Attackers and use of Free & Commercial Tools
In this attack, the threat actors in both cases have used some freely-available tools that are specifically designed to allow IT admins to query Active Directory Servers.
That’s why we have mentioned below the tools that were being used:-
Apart from this, the threat actors have used WinRAR, to sum up, all the private data they have stolen till now. Once they are done, the threat actors upload the data to a variety of cloud storage providers using the Chrome browser.
But all these techniques were being detected by the analysts because all of these are quite common among ransomware threat actors
Event the threat actors have also tried to load and launch Cobalt Strike remote control tool in the machine, and they have planned to load this tool in the very last stage of their attack.
Files dropped in C:\share$
Here below we have mentioned all the files that are dropped in C;\share$:-
- comps.txt – List of hosts to attack.
- pdf.dll – The ransomware payload
- PsExec.exe – a legitimate application by Microsoft
- COPY.bat – Instructions to copy pdf.dll to all the hosts using PsExec
- EXE.bat – Instructions to execute pdf.dll to all the hosts using PsExec
Attacks of Entropy Ransomware
While here the operators have exploited ProxyShell vulnerabilities in the Exchange server so that they can get access to the machine in their first attack.
And the threat actor has spent nearly four months stealing all the private data before encrypting computers using Entropy ransomware.
After that, they initiated their second attack that deployed the Dridex malware on a computer that are belonging to a regional government organization.
The most important point that has been noted by the experts is that both attacks were possible because the targets had vulnerable Windows machines.
However, in both cases, the threat actors have relied on a lack of diligence, and since the targets have a vulnerable Windows system, which allows them to initiate the attack.
But properly patched machines such as Exchange servers have forced the attackers to work harder to make their initial access into the organization that they have targeted.