OXFORD, U.K.  — 二月 23, 2022 —

Sophos, a global leader in next-generation cybersecurity, today released new research, “Dridex Bots Deliver Entropy in Recent Attacks,” that details code similarities in the general purpose Dridex botnet and the little-known ransomware, Entropy. The similarities are in the software packer used to conceal the ransomware code, in the malware subroutines designed to find and obfuscate commands (API calls), and in the subroutines used to decrypt encrypted text.

Sophos uncovered the similarities while investigating two incidents where attackers used Dridex to deliver Entropy ransomware. These attacks targeted a media company and a regional government agency, using specially crafted, customized versions of the Entropy ransomware dynamic link library (DLL) with the target’s name embedded in the ransomware code. In both attacks, the attackers also deployed Cobalt Strike on some of the targets’ computers and exfiltrated data to cloud storage providers using the legitimate WinRAR compression tool, before launching the ransomware on unprotected computers.

“It’s not unheard of for malware operators to share, borrow or steal each other’s code, either to save themselves the effort of creating their own, intentionally mislead attribution or distract security researchers. This approach makes it harder to find evidence that corroborates a ‘family’ of related malware or to identify ‘false flags’ that can make attackers’ jobs easier and investigators’ jobs harder,” said Andrew Brandt, principal researcher at Sophos. “In this analysis, Sophos focused on aspects of the code that both Dridex and Entropy apparently used to make forensic analysis more challenging. These include the packer code, which prevents easy static analysis of the underlying malware, a subroutine that the programs use to conceal the command (API) calls they make, and a subroutine that decrypts encrypted text strings embedded within the malware. The researchers found that the subroutines in both malware have a fundamentally similar code flow and logic.”

Different Attack Methodology

In addition to finding similarities in the code, Sophos researchers found some notable differences. In the attack on the media organization, the adversaries used the ProxyShell exploit to target a vulnerable Exchange server to install a remote shell they later leveraged to spread Cobalt Strike beacons to other computers. The attackers were in the network for four months before launching Entropy at the beginning of December 2021.

In the attack on the regional government organization, the target was infected with Dridex malware through a malicious email attachment. The attackers then used Dridex to deliver additional malware and move laterally within the target’s network. The incident analysis shows that approximately 75 hours after the initial detection of a suspicious login attempt on a single machine, the attackers started to steal data and move it to a series of cloud providers.

Staying Protected

The investigation found that in both cases, the attackers were able to take advantage of unpatched and vulnerable Windows systems and abuse legitimate tools. Regular security patching and the active investigation of suspicious alerts by threat hunters and security operations teams will help to make it harder for attackers to gain initial access to a target and deploy malicious code.

Sophos endpoint products, such as Intercept X, protect users by detecting the actions and behaviors of ransomware and other attacks, such as those described in this Sophos research. 

For further information, read the article “Dridex Bots Deliver Entropy in Recent Attacks.”

关于 Sophos

Sophos 是先进网络安全解决方案的全球领导者和创新者,包括托管式侦测与响应 (MDR) 和事件响应服务,各种端点、网络、电子邮件和云安全技术,帮助企业防御网络攻击。作为最大的纯网络安全供应商之一,Sophos 帮助全球超过 500,000 家企业和超过 1 亿用户抵御主动攻击对手、勒索软件、网络钓鱼、恶意软件等。Sophos 的服务和产品通过 Sophos Central 云管理控制台连接,并得到内部跨领域威胁情报部门 Sophos X-Ops 的支持。Sophos X-Ops 情报优化整个 Sophos Adaptive Cybersecurity Ecosystem 自适应网络安全生态体系,包括一个中央数据湖,为客户、合作伙伴、开发人员和其他网络安全与信息技术供应商提供一组丰富的开放 API。Sophos 为需要全托管并即使可用的安全解决方案的企业提供网络安全即服务,客户还可以直接利用 Sophos 的安全运行平台管理其网络安全,或者采用混合方法,为内部团队补充 Sophos 服务(包括威胁追踪与修复)。Sophos 通过世界各地的经销商合作伙伴和托管服务供应商 (MSP) 销售。Sophos 总部位于英国牛津。如欲了解更多信息,请访问 www.sophos.com.