Attackers used Dridex to deliver Entropy ransomware, code resemblance uncovered

2022-02-24 05:30

Sophos uncovered the similarities while investigating two incidents where attackers used Dridex to deliver Entropy ransomware.

These attacks targeted a media company and a regional government agency, using specially crafted, customised versions of the Entropy ransomware dynamic link library with the target's name embedded in the ransomware code.

"In this analysis, Sophos focused on aspects of the code that both Dridex and Entropy apparently used to make forensic analysis more challenging. These include the packer code, which prevents easy static analysis of the underlying malware, a subroutine that the programs use to conceal the command calls they make, and a subroutine that decrypts encrypted text strings embedded within the malware. The researchers found that the subroutines in both malware have a fundamentally similar code flow and logic."

Dridex and Entropy have code similarities but different attack methodology.

The attackers then used Dridex to deliver additional malware and move laterally within the target's network.

Regular security patching and the active investigation of suspicious alerts by threat hunters and security operations teams will help to make it harder for attackers to gain initial access to a target and deploy malicious code.

News URL

https://www.helpnetsecurity.com/2022/02/24/dridex-entropy-code-similarities/

#dridex #ransomware