Code similarities discovered in Dridex botnet and Entropy ransomware

Sophos published a new report titled “Dridex Bots Deliver Entropy in Recent Attacks”. The topic is the similarity in the codes of the Dridex botnet and the lesser-known ransomware Entropy.

Both show analogies in three areas: in the software packer used to obfuscate ransomware code, in the malware subroutines used to find and obfuscate commands (API calls), and in the subroutines used to decrypt encoded text are used.

Sophos security researchers discovered the similarities while investigating two incidents in which attackers used Dridex to proliferate Entropy ransomware. The attacks targeted a media company and a regional government agency. It used specially customized versions of the Entropy Ransomware Dynamic Link Library (DLL) that embed the target’s name in the ransomware code. In both attacks, the attackers also used Cobalt Strike on some target computers and injected data into cloud storage using the WinRAR compression tool before launching the ransomware on unprotected computers.

“It’s not uncommon for malware criminals to swap, borrow, or even steal code. This is done with the aim of saving yourself the work of creating your own code, obfuscating the assignment or distracting security researchers. This practice complicates the evidence needed to confirm a family of related malware or to identify false flags,” said Andrew Brandt, Principal Researcher at Sophos.

“In this analysis, Sophos has focused on aspects of the code that both Dridex and Entropy appear to have used to complicate forensic analysis. Our researchers found that the subprograms in both malicious programs share a fundamentally similar code flow and logic.”

Different attack methods despite similarities in code

In addition to the similarities in code, Sophos also found some notable differences. In the media company attack, the attackers used the ProxyShell exploit to attack an Exchange server and install a remote shell command. The attackers later used these to spread Cobalt Strike beacons to other computers. The attackers were on the network for four months before launching Entropy in early December 2021.

In the attack on the government organization, the target was infected with the Dridex malware via a malicious email attachment. The attackers then used Dridex to spread more malware and move laterally in the target’s network. Analysis of the incident shows that the attackers began stealing data and transferring it to a number of cloud providers about 75 hours after first detecting a suspicious login attempt on a single computer.

Patch and protect actively

The investigation by the Sophos security specialists showed that in both cases the attackers managed to exploit unpatched and vulnerable Windows systems and misuse legitimate tools. Regular security patching and active investigation of suspicious messages by threat hunters and security operations teams make it harder for attackers to gain access to a target and install malicious code. Sophos endpoint products, such as Intercept X, protect organizations by detecting the actions and behavior of ransomware and other attacks, as detailed in this Sophos study.