Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Indrik Spider
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Indrik Spider
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Indrik Spider

Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)
ID: G0119
Associated Groups: Evil Corp
Version: 2.1
Created: 06 Jan 2021
Last Modified: 15 Sep 2022

Associated Group Descriptions
Name Description
Evil Corp (Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)

Techniques Used
Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Indrik Spider has used PowerShell Empire for execution of malware.(Citation: Crowdstrike Indrik November 2018)(Citation: Symantec WastedLocker June 2020)

.003 Command and Scripting Interpreter: Windows Command Shell

Indrik Spider has used batch scripts on victim's machines.(Citation: Crowdstrike Indrik November 2018)

.007 Command and Scripting Interpreter: JavaScript

Indrik Spider has used malicious JavaScript files for several components of their attack.(Citation: Symantec WastedLocker June 2020)

Enterprise T1584 .004 Compromise Infrastructure: Server

Indrik Spider has served fake updates via legitimate websites that have been compromised.(Citation: Crowdstrike Indrik November 2018)

Enterprise T1074 .001 Data Staged: Local Data Staging

Indrik Spider has stored collected date in a .tmp file.(Citation: Symantec WastedLocker June 2020)
Enterprise T1484 .001 Domain Policy Modification: Group Policy Modification

Indrik Spider has used Group Policy Objects to deploy batch scripts.(Citation: Crowdstrike Indrik November 2018)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Indrik Spider used PsExec to leverage Windows Defender to disable scanning of all downloaded files and to restrict real-time monitoring.(Citation: Symantec WastedLocker June 2020)
Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

Indrik Spider has used Cobalt Strike to empty log files.(Citation: Symantec WastedLocker June 2020)
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Indrik Spider used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors.(Citation: Crowdstrike Indrik November 2018)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Indrik Spider used Cobalt Strike to carry out credential dumping using ProcDump.(Citation: Symantec WastedLocker June 2020)
Enterprise T1204 .002 User Execution: Malicious File

Indrik Spider has attempted to get users to click on a malicious zipped file.(Citation: Symantec WastedLocker June 2020)

Enterprise T1078 .002 Valid Accounts: Domain Accounts

Indrik Spider has collected credentials from infected systems, including domain accounts.(Citation: Crowdstrike Indrik November 2018)

Software
ID Name References Techniques
S0363 Empire (Citation: Crowdstrike Indrik November 2018) (Citation: EmPyre) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) Video Capture, Distributed Component Object Model, LLMNR/NBT-NS Poisoning and SMB Relay, System Network Configuration Discovery, PowerShell, Domain Trust Discovery, Keylogging, Obfuscated Files or Information, Local Account, Screen Capture, Network Service Discovery, Credentials In Files, Archive Collected Data, Group Policy Modification, Exfiltration Over C2 Channel, Commonly Used Port, System Information Discovery, Clipboard Data, Exploitation for Privilege Escalation, Automated Exfiltration, Accessibility Features, Automated Collection, Group Policy Discovery, Domain Account, Security Support Provider, SSH, Kerberoasting, SID-History Injection, Path Interception by Unquoted Path, Registry Run Keys / Startup Folder, Network Share Discovery, Path Interception by Search Order Hijacking, Golden Ticket, Exploitation of Remote Services, Service Execution, Exfiltration to Code Repository, File and Directory Discovery, Credential API Hooking, Path Interception by PATH Environment Variable, Native API, Windows Management Instrumentation, Process Injection, Pass the Hash, Browser Bookmark Discovery, MSBuild, Private Keys, Exfiltration to Cloud Storage, Web Protocols, Access Token Manipulation, Network Sniffing, Local Email Collection, Windows Command Shell, Bidirectional Communication, Credentials from Web Browsers, Security Software Discovery, Local Account, Dylib Hijacking, System Network Connections Discovery, Scheduled Task, LSASS Memory, Asymmetric Cryptography, Create Process with Token, Windows Service, Command and Scripting Interpreter, Process Discovery, Ingress Tool Transfer, Timestomp, Shortcut Modification, DLL Search Order Hijacking, Domain Account, System Owner/User Discovery, Bypass User Account Control, Silver Ticket
S0612 WastedLocker (Citation: Crowdstrike EvilCorp March 2021) (Citation: NCC Group WastedLocker June 2020) (Citation: Sentinel Labs WastedLocker July 2020) (Citation: Symantec WastedLocker June 2020) Windows Service, Hidden Files and Directories, Inhibit System Recovery, Modify Registry, System Checks, Data Encrypted for Impact, Windows Command Shell, Bypass User Account Control, Query Registry, Binary Padding, Peripheral Device Discovery, Native API, DLL Search Order Hijacking, File and Directory Discovery, NTFS File Attributes, Network Share Discovery, Deobfuscate/Decode Files or Information, Service Execution, Obfuscated Files or Information, Windows File and Directory Permissions Modification
S0154 Cobalt Strike (Citation: cobaltstrike manual) (Citation: Crowdstrike EvilCorp March 2021) Domain Fronting, Sudo and Sudo Caching, Code Signing, Scheduled Transfer, JavaScript, Remote Desktop Protocol, Native API, Pass the Hash, Domain Accounts, Indicator Removal from Tools, Bypass User Account Control, System Network Configuration Discovery, Service Execution, PowerShell, Web Protocols, Application Layer Protocol, Data from Local System, Disable or Modify Tools, Dynamic-link Library Injection, Local Accounts, Multiband Communication, Keylogging, Distributed Component Object Model, Process Discovery, BITS Jobs, Process Hollowing, Software Discovery, Local Accounts, BITS Jobs, Remote Desktop Protocol, Internal Proxy, Exploitation for Privilege Escalation, Screen Capture, Process Argument Spoofing, Modify Registry, Domain Groups, System Network Connections Discovery, Protocol Impersonation, Parent PID Spoofing, Token Impersonation/Theft, Protocol Tunneling, Windows Service, Visual Basic, Native API, Parent PID Spoofing, Process Injection, System Service Discovery, Timestomp, System Network Configuration Discovery, SSH, File and Directory Discovery, DNS, Token Impersonation/Theft, DNS, Bypass User Account Control, Process Hollowing, Scheduled Transfer, Security Account Manager, Local Groups, PowerShell, SSH, Python, Reflective Code Loading, Remote System Discovery, LSASS Memory, Screen Capture, Commonly Used Port, Query Registry, Domain Account, Data Transfer Size Limits, Network Service Discovery, Pass the Hash, Domain Accounts, Network Share Discovery, Web Protocols, Asymmetric Cryptography, Windows Command Shell, Process Injection, Browser Session Hijacking, Deobfuscate/Decode Files or Information, Remote System Discovery, Visual Basic, Protocol Tunneling, Exploitation for Privilege Escalation, Windows Management Instrumentation, Keylogging, Browser Session Hijacking, Windows Remote Management, Symmetric Cryptography, Non-Application Layer Protocol, Standard Encoding, Ingress Tool Transfer, Indicator Removal from Tools, Domain Account, Internal Proxy, Service Execution, Windows Remote Management, SMB/Windows Admin Shares, Rundll32, Windows Service, Application Layer Protocol, Python, SMB/Windows Admin Shares, Windows Management Instrumentation, Security Account Manager, Make and Impersonate Token, Exploitation for Client Execution, Network Service Discovery, Timestomp, Distributed Component Object Model, Multiband Communication, Commonly Used Port, Network Share Discovery, Custom Command and Control Protocol, Process Discovery, Make and Impersonate Token, Data from Local System, Office Template Macros, Windows Command Shell, Obfuscated Files or Information
S0695 Donut (Citation: Donut Github) (Citation: Introducing Donut) (Citation: NCC Group WastedLocker June 2020) Indicator Removal, Python, Process Injection, Command and Scripting Interpreter, Visual Basic, Obfuscated Files or Information, Process Discovery, Software Packing, Web Protocols, JavaScript, Native API, Reflective Code Loading, PowerShell, Ingress Tool Transfer, Disable or Modify Tools
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Crowdstrike Indrik November 2018) (Citation: Deply Mimikatz) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0384 Dridex (Citation: Bugat v5) (Citation: Checkpoint Dridex Jan 2021) (Citation: Crowdstrike EvilCorp March 2021) (Citation: Crowdstrike Indrik November 2018) (Citation: Dell Dridex Oct 2015) (Citation: Kaspersky Dridex May 2017) (Citation: Treasury EvilCorp Dec 2019) Symmetric Cryptography, Remote Access Software, Native API, Browser Session Hijacking, Software Discovery, Web Protocols, Asymmetric Cryptography, Obfuscated Files or Information, Proxy, System Information Discovery, Multi-hop Proxy, Malicious File
S0570 BitPaymer (Citation: Crowdstrike EvilCorp March 2021) (Citation: Crowdstrike Indrik November 2018) (Citation: FriedEx) (Citation: wp_encrypt) Remote System Discovery, Execution Guardrails, Windows File and Directory Permissions Modification, Data Encrypted for Impact, Obfuscated Files or Information, Timestomp, Registry Run Keys / Startup Folder, Network Share Discovery, Token Impersonation/Theft, Query Registry, Inhibit System Recovery, Windows Service, Bypass User Account Control, NTFS File Attributes, System Service Discovery, Local Account, Modify Registry, Native API
S0029 PsExec (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) (Citation: Symantec WastedLocker June 2020) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

  1. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  2. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  3. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
  4. Podlosky, A., Feeley, B. (2021, March 17). INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions. Retrieved September 15, 2021.
  5. U.S. Department of Treasury. (2019, December 5). Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware. Retrieved September 15, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.