Researchers link Dridex botnet to emergent Entropy ransomware

Researchers at Sophos have posited a link between the Dridex trojan-cum-botnet and a newly emergent ransomware dubbed Entropy, with a number of code similarities in the software packer, the malware subroutines that find and obfuscate commands, and the subroutines used to decrypt encrypted data.

Sophos hit on the links while investigating two different attacks – one on a media organisation in North America, and the other on a regional government organisations – in which Dridex was used as a vector to deliver Entropy ransomware.

In both attacks, the threat actors used specially crafted versions of the Entropy dynamic link library (DLL) that incorporated the target’s name in the ransomware code, followed by a line from the 2005 young adult novel Looking for Alaska by John Green – “Entropy increases. Things fall apart” – hence its nomenclature. They then deployed Cobalt Strike on their systems to exfiltrate data using the legitimate WinRAR compression tool, after which they launched the ransomware.

Sophos principal researcher Andrew Brandt said: “It’s not unheard of for malware operators to share, borrow or steal each other’s code, either to save themselves the effort of creating their own, intentionally mislead attribution or distract security researchers. This approach makes it harder to find evidence that corroborates a ‘family’ of related malware or to identify ‘false flags’ that can make attackers’ jobs easier and investigators’ jobs harder.

“In this analysis, Sophos focused on aspects of the code that both Dridex and Entropy apparently used to make forensic analysis more challenging. These include the packer code, which prevents easy static analysis of the underlying malware, a subroutine that the programs use to conceal the command (API) calls they make, and a subroutine that decrypts encrypted text strings embedded within the malware. The researchers found that the subroutines in both malware have a fundamentally similar code flow and logic.”

However, there were also some noteworthy differences in how the attackers went about compromising their targets.

In the attack on the unnamed media organisation, for example, the actors used the infamous ProxyShell vulnerability to access an unpatched Exchange server, where they installed a remote shell that they could use to spread Cobalt Strike beacons. They hung around in their victim’s network for four months before launching the ransomware hit.

However, in the other attack, the victim was compromised through Dridex malware spread via a malicious email attachment. Once deployed, the attackers used Dridex to deliver malware and begin lateral movement through the network. In this case, the dwell time dropped to just over three days before the attackers started to exfiltrate data.

Sophos additionally noted that in both attacks, the gang behind Entropy took advantage of unpatched and vulnerable Windows systems and abused legitimate tools – the victims had clearly failed to pay attention to some critical aspects of cyber security hygiene, notably patching and anti-phishing training.