Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Indrik Spider
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Indrik Spider
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Indrik Spider

Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. Following U.S. sanctions and an indictment in 2019, Indrik Spider changed their tactics and diversified their toolset.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)
ID: G0119
Associated Groups: Evil Corp, UNC2165, Manatee Tempest, DEV-0243
Version: 4.1
Created: 06 Jan 2021
Last Modified: 28 Oct 2024

Associated Group Descriptions
Name Description
Evil Corp (Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)
UNC2165 (Citation: Mandiant_UNC2165)
Manatee Tempest (Citation: Microsoft Threat Actor Naming July 2023)
DEV-0243 (Citation: Microsoft Threat Actor Naming July 2023)

Techniques Used
Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Indrik Spider has used PowerShell Empire for execution of malware.(Citation: Crowdstrike Indrik November 2018)(Citation: Symantec WastedLocker June 2020)

.003 Command and Scripting Interpreter: Windows Command Shell

Indrik Spider has used batch scripts on victim's machines.(Citation: Crowdstrike Indrik November 2018)(Citation: Mandiant_UNC2165)

.007 Command and Scripting Interpreter: JavaScript

Indrik Spider has used malicious JavaScript files for several components of their attack.(Citation: Symantec WastedLocker June 2020)

Enterprise T1584 .004 Compromise Infrastructure: Server

Indrik Spider has served fake updates via legitimate websites that have been compromised.(Citation: Crowdstrike Indrik November 2018)

Enterprise T1136 .001 Create Account: Local Account

Indrik Spider has created local system accounts and has added the accounts to privileged groups.(Citation: Mandiant_UNC2165)
Enterprise T1555 .005 Credentials from Password Stores: Password Managers

Indrik Spider has accessed and exported passwords from password managers.(Citation: Mandiant_UNC2165)
Enterprise T1074 .001 Data Staged: Local Data Staging

Indrik Spider has stored collected data in a .tmp file.(Citation: Symantec WastedLocker June 2020)
Enterprise T1587 .001 Develop Capabilities: Malware

Indrik Spider has developed malware for their operations, including ransomware such as BitPaymer and WastedLocker.(Citation: Crowdstrike Indrik November 2018)
Enterprise T1484 .001 Domain or Tenant Policy Modification: Group Policy Modification

Indrik Spider has used Group Policy Objects to deploy batch scripts.(Citation: Crowdstrike Indrik November 2018)(Citation: Mandiant_UNC2165)
Enterprise T1585 .002 Establish Accounts: Email Accounts

Indrik Spider has created email accounts to communicate with their ransomware victims, to include providing payment and decryption details.(Citation: Crowdstrike Indrik November 2018)
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Indrik Spider has exfiltrated data using Rclone or MEGASync prior to deploying ransomware.(Citation: Mandiant_UNC2165)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Indrik Spider used PsExec to leverage Windows Defender to disable scanning of all downloaded files and to restrict real-time monitoring.(Citation: Symantec WastedLocker June 2020) Indrik Spider has used `MpCmdRun` to revert the definitions in Microsoft Defender.(Citation: Mandiant_UNC2165) Additionally, Indrik Spider has used WMI to stop or uninstall and reset anti-virus products and other defensive services.(Citation: Mandiant_UNC2165)
Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

Indrik Spider has used Cobalt Strike to empty log files.(Citation: Symantec WastedLocker June 2020) Additionally, Indrik Spider has cleared all event logs using `wevutil`.(Citation: Mandiant_UNC2165)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Indrik Spider used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors.(Citation: Crowdstrike Indrik November 2018)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Indrik Spider used Cobalt Strike to carry out credential dumping using ProcDump.(Citation: Symantec WastedLocker June 2020)
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Indrik Spider has used RDP for lateral movement.(Citation: Mandiant_UNC2165)
.004 Remote Services: SSH

Indrik Spider has used SSH for lateral movement.(Citation: Mandiant_UNC2165)

Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

Indrik Spider has conducted Kerberoasting attacks using a module from GitHub.(Citation: Mandiant_UNC2165)
Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Indrik Spider has searched files to obtain and exfiltrate credentials.(Citation: Mandiant_UNC2165)
Enterprise T1204 .002 User Execution: Malicious File

Indrik Spider has attempted to get users to click on a malicious zipped file.(Citation: Symantec WastedLocker June 2020)

Enterprise T1078 .002 Valid Accounts: Domain Accounts

Indrik Spider has collected credentials from infected systems, including domain accounts.(Citation: Crowdstrike Indrik November 2018)

Software
ID Name References Techniques
S0363 Empire (Citation: Crowdstrike Indrik November 2018) (Citation: EmPyre) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) Video Capture, Distributed Component Object Model, LLMNR/NBT-NS Poisoning and SMB Relay, System Network Configuration Discovery, PowerShell, Domain Trust Discovery, Keylogging, Command Obfuscation, Local Account, Screen Capture, Network Service Discovery, Credentials In Files, Archive Collected Data, Group Policy Modification, Exfiltration Over C2 Channel, Commonly Used Port, System Information Discovery, Clipboard Data, Exploitation for Privilege Escalation, Automated Exfiltration, Accessibility Features, Automated Collection, Group Policy Discovery, Domain Account, Security Support Provider, SSH, Kerberoasting, SID-History Injection, Path Interception by Unquoted Path, Registry Run Keys / Startup Folder, Network Share Discovery, Path Interception by Search Order Hijacking, Golden Ticket, Exploitation of Remote Services, Service Execution, Exfiltration to Code Repository, File and Directory Discovery, Credential API Hooking, Path Interception by PATH Environment Variable, Native API, Windows Management Instrumentation, Process Injection, Pass the Hash, Browser Information Discovery, MSBuild, Private Keys, Exfiltration to Cloud Storage, Web Protocols, Access Token Manipulation, Network Sniffing, Local Email Collection, Windows Command Shell, Bidirectional Communication, Credentials from Web Browsers, Security Software Discovery, Local Account, Dylib Hijacking, System Network Connections Discovery, Scheduled Task, LSASS Memory, Asymmetric Cryptography, Create Process with Token, Windows Service, Command and Scripting Interpreter, Process Discovery, Ingress Tool Transfer, Timestomp, Shortcut Modification, DLL Search Order Hijacking, Domain Account, System Owner/User Discovery, Bypass User Account Control, Silver Ticket
S0612 WastedLocker (Citation: Crowdstrike EvilCorp March 2021) (Citation: Microsoft Ransomware as a Service) (Citation: NCC Group WastedLocker June 2020) (Citation: Sentinel Labs WastedLocker July 2020) (Citation: SentinelOne SocGholish Infrastructure November 2022) (Citation: Symantec WastedLocker June 2020) Windows Service, Hidden Files and Directories, Inhibit System Recovery, Modify Registry, System Checks, Data Encrypted for Impact, Windows Command Shell, Bypass User Account Control, Query Registry, Binary Padding, Peripheral Device Discovery, Native API, DLL Search Order Hijacking, File and Directory Discovery, NTFS File Attributes, Network Share Discovery, Deobfuscate/Decode Files or Information, Service Execution, Encrypted/Encoded File, Windows File and Directory Permissions Modification
S0154 Cobalt Strike (Citation: cobaltstrike manual) (Citation: Crowdstrike EvilCorp March 2021) (Citation: Mandiant_UNC2165) (Citation: Microsoft Ransomware as a Service) Domain Fronting, Sudo and Sudo Caching, Code Signing, Scheduled Transfer, JavaScript, Remote Desktop Protocol, Native API, Pass the Hash, Domain Accounts, Indicator Removal from Tools, Bypass User Account Control, System Network Configuration Discovery, Service Execution, PowerShell, Web Protocols, Application Layer Protocol, Data from Local System, Disable or Modify Tools, Dynamic-link Library Injection, Local Accounts, Multiband Communication, Keylogging, Distributed Component Object Model, Process Discovery, BITS Jobs, Process Hollowing, Software Discovery, Local Accounts, BITS Jobs, Remote Desktop Protocol, Internal Proxy, Exploitation for Privilege Escalation, Screen Capture, Process Argument Spoofing, Modify Registry, Domain Groups, System Network Connections Discovery, Protocol or Service Impersonation, Parent PID Spoofing, Token Impersonation/Theft, Protocol Tunneling, Windows Service, Visual Basic, Native API, Parent PID Spoofing, Process Injection, System Service Discovery, Timestomp, System Network Configuration Discovery, SSH, File and Directory Discovery, DNS, Token Impersonation/Theft, DNS, Bypass User Account Control, Process Hollowing, Scheduled Transfer, Security Account Manager, Local Groups, PowerShell, SSH, Python, Reflective Code Loading, Remote System Discovery, LSASS Memory, Screen Capture, Commonly Used Port, Query Registry, Domain Account, Data Transfer Size Limits, Network Service Discovery, Pass the Hash, Domain Accounts, Network Share Discovery, Web Protocols, Asymmetric Cryptography, Windows Command Shell, Process Injection, Browser Session Hijacking, Deobfuscate/Decode Files or Information, Remote System Discovery, Visual Basic, Protocol Tunneling, Exploitation for Privilege Escalation, Windows Management Instrumentation, Keylogging, Browser Session Hijacking, Windows Remote Management, Symmetric Cryptography, Non-Application Layer Protocol, Standard Encoding, Ingress Tool Transfer, Indicator Removal from Tools, Domain Account, Internal Proxy, Service Execution, Windows Remote Management, SMB/Windows Admin Shares, Rundll32, Windows Service, File Transfer Protocols, Python, SMB/Windows Admin Shares, Windows Management Instrumentation, Security Account Manager, Make and Impersonate Token, Exploitation for Client Execution, Network Service Discovery, Timestomp, Distributed Component Object Model, Multiband Communication, Commonly Used Port, Network Share Discovery, Custom Command and Control Protocol, Process Discovery, Make and Impersonate Token, Data from Local System, Office Template Macros, Windows Command Shell, Obfuscated Files or Information
S0695 Donut (Citation: Donut Github) (Citation: Introducing Donut) (Citation: NCC Group WastedLocker June 2020) Indicator Removal, Python, Process Injection, Command and Scripting Interpreter, Visual Basic, Obfuscated Files or Information, Process Discovery, Software Packing, Web Protocols, JavaScript, Native API, Reflective Code Loading, PowerShell, Ingress Tool Transfer, Disable or Modify Tools
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Crowdstrike Indrik November 2018) (Citation: Deply Mimikatz) (Citation: Mandiant_UNC2165) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0384 Dridex (Citation: Bugat v5) (Citation: Checkpoint Dridex Jan 2021) (Citation: Crowdstrike EvilCorp March 2021) (Citation: Crowdstrike Indrik November 2018) (Citation: Dell Dridex Oct 2015) (Citation: Kaspersky Dridex May 2017) (Citation: Treasury EvilCorp Dec 2019) Symmetric Cryptography, DLL Side-Loading, Remote Access Software, Native API, Scheduled Task, Browser Session Hijacking, Software Discovery, Web Protocols, Regsvr32, Asymmetric Cryptography, Obfuscated Files or Information, Proxy, System Information Discovery, Multi-hop Proxy, Malicious File
S0570 BitPaymer (Citation: Crowdstrike EvilCorp March 2021) (Citation: Crowdstrike Indrik November 2018) (Citation: FriedEx) (Citation: wp_encrypt) Remote System Discovery, Execution Guardrails, Windows File and Directory Permissions Modification, Data Encrypted for Impact, Encrypted/Encoded File, Timestomp, Registry Run Keys / Startup Folder, Network Share Discovery, Token Impersonation/Theft, Query Registry, Inhibit System Recovery, Windows Service, Bypass User Account Control, NTFS File Attributes, System Service Discovery, Local Account, Modify Registry, Native API
S0029 PsExec (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) (Citation: Symantec WastedLocker June 2020) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

  1. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
  2. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  3. Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024.
  4. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  5. Podlosky, A., Feeley, B. (2021, March 17). INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions. Retrieved September 15, 2021.
  6. U.S. Department of Treasury. (2019, December 5). Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware. Retrieved September 15, 2021.
  7. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  8. Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.
  9. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.