Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент BitPaymer
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
BitPaymer
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

BitPaymer

BitPaymer is a ransomware variant first observed in August 2017 targeting hospitals in the U.K. BitPaymer uses a unique encryption key, ransom note, and contact information for each operation. BitPaymer has several indicators suggesting overlap with the Dridex malware and is often delivered via Dridex.(Citation: Crowdstrike Indrik November 2018)
ID: S0570
Associated Software: wp_encrypt FriedEx
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 08 Feb 2021
Last Modified: 26 Apr 2021

Associated Software Descriptions
Name Description
wp_encrypt (Citation: Crowdstrike Indrik November 2018)
FriedEx (Citation: Crowdstrike Indrik November 2018)

Techniques Used
Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

BitPaymer can suppress UAC prompts by setting the HKCU\Software\Classes\ms-settings\shell\open\command registry key on Windows 10 or HKCU\Software\Classes\mscfile\shell\open\command on Windows 7 and launching the eventvwr.msc process, which launches BitPaymer with elevated privileges.(Citation: Crowdstrike Indrik November 2018)
Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

BitPaymer can use the tokens of users to create processes on infected systems.(Citation: Crowdstrike Indrik November 2018)
Enterprise T1087 .001 Account Discovery: Local Account

BitPaymer can enumerate the sessions for each user logged onto the infected host.(Citation: Crowdstrike Indrik November 2018)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

BitPaymer has set the run key HKCU\Software\Microsoft\Windows\CurrentVersion\Run for persistence.(Citation: Crowdstrike Indrik November 2018)
Enterprise T1543 .003 Create or Modify System Process: Windows Service

BitPaymer has attempted to install itself as a service to maintain persistence.(Citation: Crowdstrike Indrik November 2018)
Enterprise T1222 .001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification

BitPaymer can use icacls /reset and takeown /F to reset a targeted executable's permissions and then take ownership.(Citation: Crowdstrike Indrik November 2018)
Enterprise T1564 .004 Hide Artifacts: NTFS File Attributes

BitPaymer has copied itself to the :bin alternate data stream of a newly created file.(Citation: Crowdstrike Indrik November 2018)
Enterprise T1070 .006 Indicator Removal: Timestomp

BitPaymer can modify the timestamp of an executable so that it can be identified and restored by the decryption tool.(Citation: Crowdstrike Indrik November 2018)

Groups That Use This Software
ID Name References
G0119 Indrik Spider

(Citation: Crowdstrike Indrik November 2018) (Citation: Crowdstrike EvilCorp March 2021)

References

  1. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  2. Podlosky, A., Feeley, B. (2021, March 17). INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions. Retrieved September 15, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.