Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа Indrik Spider
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Indrik Spider
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Indrik Spider

Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. Following U.S. sanctions and an indictment in 2019, Indrik Spider changed their tactics and diversified their toolset.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)
ID: G0119
Associated Groups: Evil Corp, DEV-0243, Manatee Tempest, UNC2165
Version: 4.1
Created: 06 Jan 2021
Last Modified: 28 Oct 2024

Associated Group Descriptions
Name Description
Evil Corp (Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)
DEV-0243 (Citation: Microsoft Threat Actor Naming July 2023)
Manatee Tempest (Citation: Microsoft Threat Actor Naming July 2023)
UNC2165 (Citation: Mandiant_UNC2165)

Techniques Used
Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Indrik Spider has used PowerShell Empire for execution of malware.(Citation: Crowdstrike Indrik November 2018)(Citation: Symantec WastedLocker June 2020)

.003 Command and Scripting Interpreter: Windows Command Shell

Indrik Spider has used batch scripts on victim's machines.(Citation: Crowdstrike Indrik November 2018)(Citation: Mandiant_UNC2165)

.007 Command and Scripting Interpreter: JavaScript

Indrik Spider has used malicious JavaScript files for several components of their attack.(Citation: Symantec WastedLocker June 2020)

Enterprise T1584 .004 Compromise Infrastructure: Server

Indrik Spider has served fake updates via legitimate websites that have been compromised.(Citation: Crowdstrike Indrik November 2018)

Enterprise T1136 .001 Create Account: Local Account

Indrik Spider has created local system accounts and has added the accounts to privileged groups.(Citation: Mandiant_UNC2165)
Enterprise T1555 .005 Credentials from Password Stores: Password Managers

Indrik Spider has accessed and exported passwords from password managers.(Citation: Mandiant_UNC2165)
Enterprise T1074 .001 Data Staged: Local Data Staging

Indrik Spider has stored collected data in a .tmp file.(Citation: Symantec WastedLocker June 2020)
Enterprise T1587 .001 Develop Capabilities: Malware

Indrik Spider has developed malware for their operations, including ransomware such as BitPaymer and WastedLocker.(Citation: Crowdstrike Indrik November 2018)
Enterprise T1484 .001 Domain or Tenant Policy Modification: Group Policy Modification

Indrik Spider has used Group Policy Objects to deploy batch scripts.(Citation: Crowdstrike Indrik November 2018)(Citation: Mandiant_UNC2165)
Enterprise T1585 .002 Establish Accounts: Email Accounts

Indrik Spider has created email accounts to communicate with their ransomware victims, to include providing payment and decryption details.(Citation: Crowdstrike Indrik November 2018)
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Indrik Spider has exfiltrated data using Rclone or MEGASync prior to deploying ransomware.(Citation: Mandiant_UNC2165)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Indrik Spider used PsExec to leverage Windows Defender to disable scanning of all downloaded files and to restrict real-time monitoring.(Citation: Symantec WastedLocker June 2020) Indrik Spider has used `MpCmdRun` to revert the definitions in Microsoft Defender.(Citation: Mandiant_UNC2165) Additionally, Indrik Spider has used WMI to stop or uninstall and reset anti-virus products and other defensive services.(Citation: Mandiant_UNC2165)
Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

Indrik Spider has used Cobalt Strike to empty log files.(Citation: Symantec WastedLocker June 2020) Additionally, Indrik Spider has cleared all event logs using `wevutil`.(Citation: Mandiant_UNC2165)

Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

Indrik Spider used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors.(Citation: Crowdstrike Indrik November 2018)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Indrik Spider used Cobalt Strike to carry out credential dumping using ProcDump.(Citation: Symantec WastedLocker June 2020)
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Indrik Spider has used RDP for lateral movement.(Citation: Mandiant_UNC2165)
.004 Remote Services: SSH

Indrik Spider has used SSH for lateral movement.(Citation: Mandiant_UNC2165)

Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

Indrik Spider has conducted Kerberoasting attacks using a module from GitHub.(Citation: Mandiant_UNC2165)
Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Indrik Spider has searched files to obtain and exfiltrate credentials.(Citation: Mandiant_UNC2165)
Enterprise T1204 .002 User Execution: Malicious File

Indrik Spider has attempted to get users to click on a malicious zipped file.(Citation: Symantec WastedLocker June 2020)

Enterprise T1078 .002 Valid Accounts: Domain Accounts

Indrik Spider has collected credentials from infected systems, including domain accounts.(Citation: Crowdstrike Indrik November 2018)

Software
ID Name References Techniques
S0363 Empire (Citation: Crowdstrike Indrik November 2018) (Citation: EmPyre) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) Scheduled Task, Windows Management Instrumentation, Screen Capture, System Owner/User Discovery, Keylogging, Path Interception by PATH Environment Variable, Bypass User Account Control, Group Policy Discovery, Local Email Collection, Domain Account, Local Account, Windows Service, SSH, DLL, Automated Collection, Clipboard Data, Network Sniffing, Network Share Discovery, System Information Discovery, Native API, Process Injection, Timestomp, Shortcut Modification, Security Support Provider, Archive Collected Data, Credentials from Web Browsers, Path Interception by Search Order Hijacking, Group Policy Modification, Browser Information Discovery, Private Keys, Local Account, LLMNR/NBT-NS Poisoning and SMB Relay, LSASS Memory, Create Process with Token, Distributed Component Object Model, Video Capture, System Network Configuration Discovery, Accessibility Features, Command and Scripting Interpreter, Domain Account, Domain Trust Discovery, Golden Ticket, Automated Exfiltration, File and Directory Discovery, System Network Connections Discovery, Credentials In Files, Exfiltration to Code Repository, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Exploitation of Remote Services, Registry Run Keys / Startup Folder, Exploitation for Privilege Escalation, SID-History Injection, Bidirectional Communication, Asymmetric Cryptography, Exfiltration to Cloud Storage, Path Interception by Unquoted Path, MSBuild, Security Software Discovery, Windows Command Shell, Silver Ticket, Command Obfuscation, Access Token Manipulation, Web Protocols, Network Service Discovery, Pass the Hash, Ingress Tool Transfer, Service Execution, Kerberoasting, Credential API Hooking, Commonly Used Port, Dylib Hijacking
S0612 WastedLocker (Citation: Crowdstrike EvilCorp March 2021) (Citation: Microsoft Ransomware as a Service) (Citation: NCC Group WastedLocker June 2020) (Citation: Sentinel Labs WastedLocker July 2020) (Citation: SentinelOne SocGholish Infrastructure November 2022) (Citation: Symantec WastedLocker June 2020) Encrypted/Encoded File, Bypass User Account Control, Windows Service, System Checks, DLL, Network Share Discovery, Peripheral Device Discovery, Windows File and Directory Permissions Modification, Native API, Deobfuscate/Decode Files or Information, Modify Registry, Junk Code Insertion, File and Directory Discovery, Data Encrypted for Impact, Query Registry, Windows Command Shell, Hidden Files and Directories, Service Execution, NTFS File Attributes, Inhibit System Recovery
S0154 Cobalt Strike (Citation: Crowdstrike EvilCorp March 2021) (Citation: Mandiant_UNC2165) (Citation: Microsoft Ransomware as a Service) (Citation: cobaltstrike manual) Windows Management Instrumentation, Screen Capture, Rundll32, Standard Encoding, Keylogging, JavaScript, Bypass User Account Control, Sudo and Sudo Caching, Security Account Manager, DNS, Domain Account, Symmetric Cryptography, Windows Service, Domain Groups, SSH, System Service Discovery, Code Signing, Network Share Discovery, Application Layer Protocol, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Reflective Code Loading, Scheduled Transfer, SMB/Windows Admin Shares, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Windows Remote Management, LSASS Memory, Distributed Component Object Model, System Network Configuration Discovery, Office Template Macros, File and Directory Discovery, System Network Connections Discovery, Token Impersonation/Theft, Make and Impersonate Token, Process Discovery, Parent PID Spoofing, PowerShell, Multiband Communication, File Transfer Protocols, Local Groups, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Exploitation for Privilege Escalation, Obfuscated Files or Information, Exploitation for Client Execution, Asymmetric Cryptography, Non-Application Layer Protocol, Protocol or Service Impersonation, Query Registry, Data Transfer Size Limits, Domain Accounts, BITS Jobs, Domain Fronting, Python, Windows Command Shell, Web Protocols, Visual Basic, Remote System Discovery, Network Service Discovery, Software Discovery, Pass the Hash, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Internal Proxy, Custom Command and Control Protocol, Commonly Used Port, Local Accounts, Process Argument Spoofing
S0695 Donut (Citation: Donut Github) (Citation: Introducing Donut) (Citation: NCC Group WastedLocker June 2020) Encrypted/Encoded File, JavaScript, Native API, Process Injection, Reflective Code Loading, Command and Scripting Interpreter, Indicator Removal, Process Discovery, PowerShell, Disable or Modify Tools, Python, Software Packing, Web Protocols, Visual Basic, Ingress Tool Transfer, Compression
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Crowdstrike Indrik November 2018) (Citation: Deply Mimikatz) (Citation: Mandiant_UNC2165) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S0384 Dridex (Citation: Bugat v5) (Citation: Checkpoint Dridex Jan 2021) (Citation: Crowdstrike EvilCorp March 2021) (Citation: Crowdstrike Indrik November 2018) (Citation: Dell Dridex Oct 2015) (Citation: Kaspersky Dridex May 2017) (Citation: Treasury EvilCorp Dec 2019) Scheduled Task, Malicious File, Symmetric Cryptography, DLL, System Information Discovery, Native API, Remote Access Tools, Browser Session Hijacking, Proxy, Multi-hop Proxy, Obfuscated Files or Information, Regsvr32, Asymmetric Cryptography, Web Protocols, Software Discovery
S0570 BitPaymer (Citation: Crowdstrike EvilCorp March 2021) (Citation: Crowdstrike Indrik November 2018) (Citation: FriedEx) (Citation: wp_encrypt) Encrypted/Encoded File, Bypass User Account Control, Local Account, Windows Service, System Service Discovery, Network Share Discovery, Windows File and Directory Permissions Modification, Native API, Timestomp, Modify Registry, Execution Guardrails, Token Impersonation/Theft, Registry Run Keys / Startup Folder, Data Encrypted for Impact, Query Registry, Remote System Discovery, NTFS File Attributes, Inhibit System Recovery
S0029 PsExec (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) (Citation: Symantec WastedLocker June 2020) Windows Service, SMB/Windows Admin Shares, Domain Account, Lateral Tool Transfer, Service Execution

References

  1. Podlosky, A., Feeley, B. (2021, March 17). INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions. Retrieved September 15, 2021.
  2. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  3. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  4. Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024.
  5. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
  6. U.S. Department of Treasury. (2019, December 5). Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware. Retrieved September 15, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.