Recently, a couple of incidents in different organizations in which the so-called attackers deployed Entropy ransomware were preceded by infections with tools that gave the attackers remote access – Cobalt Strike beacons and Dridex malware – on some of the targets’ computers, before of the attackers launching the ransomware.
The similarities were discovered by Sophos while investigating these incidents where attackers used Dridex to launch Entropy ransomware. These attacks targeted a media company and a government agency, using custom builds on some of the targets’ computers.
Some aspects of the attacks were consistent: In both cases, the attackers heavily relied on Cobalt Strike as a means of infecting more machines, achieving varying levels of success depending on whether the target had protection installed on a given machine. The attackers also performed redundant exfiltration of private data to more than one cloud storage provider. During a forensic analysis, we found multiple instances of Dridex, the well-known general-purpose malware that its operators can use to distribute other malware.
In the first incident, attackers exploited the ProxyShell vulnerability in the network belonging to a North American media organization to install a remote shell on the target’s Exchange server, and exploited it to spread Cobalt Strike beacons to other computers. . Over a period of four months, the attackers took their time probing the organization and stealing data, before launching the attack in early December.
While Entropy’s second attack – this time against a regional government organization – revealed that a malicious email attachment had terminated a user’s computer with the Dridex botnet Trojan, and that the attackers used Dridex to deliver additional malware (such as the commercial ScreenConnect remote access utility) and move laterally within the target’s network.
In both cases, the ransomware attackers used freely available tools, such as the Windows Sysinternals PsExec and PsKill tools, and the AdFind utility, designed for IT administrators to query Active Directory servers. They also used the free WinRAR compression utility to package the stolen private data collections, then uploaded them to a variety of cloud storage providers using the Chrome browser.
These tactics are unfortunately quite common among ransomware threat actors. Endpoint protection tools do not usually block the use of these and other utilities, as they have legitimate uses.
The Entropy samples in both cases were delivered in the form of Windows DLLs compiled for 32-bit architecture. Dridex payloads were retrieved from various systems in both EXE and DLL formats, compiled for both 32-bit and 64-bit architectures. For our comparison, we look at the 32-bit Dridex bots.
Notably, the research found that in both cases, attackers could take advantage of vulnerable and unpatched Windows systems to abuse legitimate tools. Regular application of security patches and active investigation of suspicious alerts by threat hunters and security operations teams will help make it more difficult for attackers to gain initial access to a target and deploy malicious code so they must be on guard. Watch out for these vulnerabilities.
