Malware

Resume

In 2015 and 2016, Dridex was one of the most prolific eCrime banking rojans on the market and, since 2014, those efforts are thought to have netted Indrik Spider millions of dollars in criminal profits. Throughout its years of operation, Dridex has received multiple updates with new modules developed and new anti-analysis features added to the malware.
In August 2017, a new ransomware variant identified as BitPaymer was reported to have ransomed the U.K.โ€™s National Health Service (NHS), with a high ransom demand of 53 BTC (approximately $200,000 USD). The targeting of an organization rather than individuals, and the high ransom demands, made BitPaymer stand out from other contemporary ransomware at the time. Though the encryption and ransom functionality of BitPaymer was not technically sophisticated, the malware contained multiple anti-analysis features that overlapped with Dridex.

Malware Used

  • Babuk Locker
  • BitPaymer
  • Cridex
  • Dridex
  • DoppelPaymer
  • Entropy
  • Hades
  • Macaw Locker
  • Phoenix
  • SocGholish
  • WastedLoader
  • WastedLocker
  • GameOver Zeus
  • PayloadBIN
  • ColorFake
  • FakeUpdates

Dridex

DRIDEX was believed to operate under an affiliate model with multiple actors involved in the distribution of the malware. While the malware was initially used as traditional banking Trojan, beginning as early as 2018, Mandiant observed DRIDEX used as a conduit to deploy post-exploitation frameworks onto victim machines.
โ€‹Security researchers also began to report DRIDEX preceding BITPAYMER deployments, which was consistent with a broader emerging trend at the time of ransomware being deployed post-compromise in victim environments. Although Evil Corp was sanctioned for the development and distribution of DRIDEX, the group was already beginning to shift towards more lucrative ransomware operations.
UNC2165 activity likely represents another evolution in Evil Corp affiliated actors' operations. Numerous reports have highlighted the progression of linked activity including development of new ransomware families and a reduced reliance on DRIDEX to enable intrusions. Despite these apparent efforts to obscure attribution, UNC2165 has notable similarities to operations publicly attributed to Evil Corp, including a heavy reliance on FAKEUPDATES to obtain initial access to victims and overlaps in their infrastructure and use of particular ransomware families.
Recently, new Entropy ransomware has been linked to Dridrex due to several similaritiesโ€‹

Wasted Locker

It has a command line interface that attackers can use to control the way it operates; they can specify specific directories to target, and prioritize which sets of files are encrypted first. The CLI also allows attackers to encrypt files on specified network resources.
WastedLocker also features a bypass for User Account Control (UAC) on Windows machines, which is a security check meant to prevent malicious privilege escalation.
Uses a combination of AES and a publicly available reference implementation of an RSA algorithm named โ€œrsaref". For each processed file, WastedLocker generates a unique 256 bit key and a 128 bit IV which will be used to encrypt the file content using the AES-256 algorithm in CBC mode. The AES key, IV and the MD5 hash of the original content, as well as some auxiliary information, are encrypted with a public RSA key embedded in the trojanโ€™s body.
The result of RSA encryption is Base64 encoded and saved in a new file with the extension .garminwasted_info. This is a rare approach that was previously used by the BitPaymer and DoppelPaymer trojans.

Macaw Locker

This ransomware acts as a common cryptovirus โ€“ it locks files by encrypting them and appends data using .macaw extension. This appendix appears at the end of the original name of the file right after the original file type indicator. The threat then moves on with ransom note delivery, so the macaw_recover.txt gets placed on various folders with affected data and on the desktop.
The negotiation page is developed for every specific victim. Creators of the Macaw Locker can then list the campaign ID and contact information like the Tor site on the text file. The page that people end up on once the link is clicked shows the introduction and explanation of what happened to the company and how to decrypt the affected files. Three files can be presented for free decryption, and negotiations may start there.

Malware Timeline

Evolution between different ransomware variants - SentinelOne (Feb 2022)
  • Dridex (< 2015)
  • BitPaymer (Aug 2017 - 2020)
  • WastedLocker (May 2020 - Jul 2020)
  • Hades (Dec 2020 - Mar 2021)
  • MacawLocker (Somewhere 2021)
  • PhoenixLocker (Mar 2021)
  • PayloadBIN (Apr 2021 - Jun 2021)

Similarities

Overlaps between ransomware families - SentinelOne (Feb 2022)

DoppelPaymer & BitPaymer

โ€‹
โ€‹
DoppelPaymer
BitPaymer
Ransom note
Each readme file contains an encrypted 256-bit AES key in a field named DATA.
Each readme file contains an encrypted 256-bit AES key in a field named KEY.
Older versions contained an encrypted 128-bit RC4 key in the KEY field. Current versions use anonymous email services such as ProtonMail for ransom payment negotiations.
Encryption
2048-bit RSA + 256-bit AES
4096-bit RSA + 256-bit AES. Older versions used 1024-bit RSA + 128-bit RC4.
Encryption (AES) padding scheme
Standard padding (PKCS#7)
Random bytes specified in a field named TAIL
Ransom filename
Encrypted files are renamed with a .locked extension.
Encrypted files are renamed with the victim name as the extension. Older versions are appended the suffix .locked to the names of encrypted files.

BitPaymer & WastedLocker

  • Abuse of Alternate Data Streams (ADS)
  • Customized API resolving method
  • Similar UAC bypass
  • Encryption methods
  • Ransom note
  • Same style of command-line arguments
  • Victim specific elements are added using a specific buildr rather than at compile time

WastedLocker & Hades

  • Different UAC bypass methods: both taken from UACME project
  • Generalization: Hades doesn't contain victim information in the ransom note whereas WastedLocker does, and instead contains a tox channel in order to communicate and negotiate with victims
  • Hades doesn't use ADS whereas WastedLocker and BitPaymer do
  • Hades stores key information in each encrypted file while WastedLocker and Bitpaymer store key information inside a ransom note
Complete analysis and report hereโ€‹
โ€‹
Last modified 3mo ago
Copy link
On this page
Resume
Malware Used
Dridex
Wasted Locker
Macaw Locker
Malware Timeline
Similarities