Similarities have been unearthed between the Dridex general-purpose malware and a little-known ransomware strain called Entropy, suggesting that the operators are continuing to rebrand their extortion operations under a different name.
“The similarities are in the software packer used to conceal the ransomware code, in the malware subroutines designed to find and obfuscate commands (API calls), and in the subroutines used to decrypt encrypted text,” cybersecurity firm Sophos said in a report shared with The Hacker News.
The commonalities were uncovered following two unrelated incidents targeting an unnamed media company and a regional government agency. In both cases, the deployment of Entropy was preceded by infecting the target networks with Cobalt Strike Beacons and Dridex, granting the attackers remote access.
Despite the consistency in some aspects of the twin attacks, they also varied significantly with regards to the initial access vector used to worm their way inside the networks, the length of time spent in each of the environments, and the malware employed to launch the final phase of the invasion.
The attack on the media organization used the ProxyShell exploit to strike a vulnerable Exchange Server with the goal of installing a web shell that, in turn, was utilized to spread Cobalt Strike Beacons on the network. Read more:https://bit.ly/3t2251W