One of the largest malware operations on the internet, Evil Corp, is resuming its activity after briefly being dormant following the charges against several of the group’s members in December 2019, according to a new report from Fox-T, a division within the NCC Group.
Evil Corp, also known as the Dridex gang, has been active since 2007 and previously has been associated to the Dridex malware and the BitPaymer ransomware. The Evil Corp group has been managing the Dridex malware since 2014, providing access to the banking trojan to several groups and individual threat actors.
However, in 2017 Evil Corp became smaller and used the Dridex malware almost exclusively as part of BitPaymer ransomware campaigns that targeted mainly users in North America with a smaller number of victims in Western Europe. During 2018, the group has worked in collaboration with The Trick group, “specifically, leasing out access to BitPaymer for a while, prior to their use of Ryuk.”
“In 2019 a fork of BitPaymer usually referred to as DoppelPaymer appeared, although this was ransomware as a service and thus was not the same business model. We have observed some cooperation between the two groups, but as yet can draw no definitive conclusions as to the current relationship between these two threat actor groups,” the report said.
After the unsealing of indictments by the US Department of Justice and actions against Evil Corp as group by the US Treasury Department, Evil Corp went silent until January 2020, when the researchers observed the use of a Gozi variant, which they refer to as Gozi ISFB 2, and a customized version of the CobaltStrike loader intended as a replacement for the Empire PowerShell framework previously used by the gang.
As for the WastedLocker ransomware, the researchers say the malware emerged in May this year. The new ransomware has little in common with the BitPaymer ransomware, apart from some similarities in the ransom note.
“While many things have changed in the TTPs of Evil Corp recently, one very notable element has not changed, the distribution via the SocGholish fake upd ate framework. This framework is still in use although it is now used to directly distribute a custom CobaltStrike loader,” according to report.
Like other ransomware families, WastedLocker designed to encrypt the files on the infected computer. However, before the encryption process starts the malware performs several actions to ensure the ransomware will run properly.
First, it decrypts the strings which are stored in the .bss section and then calculates a DWORD value that is used later for locating decrypted strings that are related to the encryption process. In the case if malware is not executed with administrator rights or if the infected host runs Windows Vista or later, WastedLocker will attempt to elevate its privileges by using a well-known UAC bypass method.
The researchers noted that instead of a list of extension targets WastedLocker includes a list of directories and extensions to exclude from the encryption process. Files with a size less than 10 bytes are also ignored and in case of a large file, the ransomware encrypts them in blocks of 64MB.
“For each encrypted file, the ransomware creates an additional file that includes the ransomware note. The encrypted file’s extension is se t according to the targeted organizations name along with the prefix wasted (hence the name we have gave to this ransomware),” according to the report.
Based on samples submitted to VirusTotal, researchers estimate that WastedLocker was already used as ransomware payload in a handful of cases - around 5, although they believe that the number of infections could be higher.