28 March 2021

Evil Corp uses a new tactic to circumvent OFAC sanctions


Evil Corp uses a new tactic to circumvent OFAC sanctions

Evil Corp, a notorious cybercrime group behind the Dridex banking trojan, BitPaymer and WastedLocker ransomware has switched to a new tactic in order to evade sanctions imposed by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC).

In December 2019, OFAC charged two key members of Evil Corp (aka the Dridex group and Indric Spider), Maksim Yakubets and Igor Turashev, for deploying the Dridex malware (aka Bugat and Cridex), and for their involvement in international bank fraud and computer hacking schemes. The U.S. Department of State had also announced a reward of up to $5 million USD for any information leading to the capture or conviction of the group’s leader.

Following the OFAC sanctions the group temporarily ceased their operations while continuing to develop new tactics, techniques and procedures (TTPs) to evade sanctions, with the latest addition being the Hades ransomware, first spotted by researchers in December 2020.

According to the cybersecurity firm CrowdStrike, Hades is a 64-bit compiled variant of WastedLocker with additional code obfuscation and minor feature changes. This ransomware is not related to a similarly named ransomware family, Hades Locker, which first appeared in 2016.

-While Hades shares the majority of its functionality with WastedLocker, it comes with a few changes identified by CrowdStrike as follows:

-Hades is now a 64-bit compiled executable with additional code-obfuscation, likely to disguise the minimal changes, evade existing signature-based detections and hinder reverse engineering efforts.

-The majority of standard file and registry Windows API calls were replaced with their system call counterparts (i.e., the user-mode Native APIs exported from NTDLL).

-Hades employs a different User Account Control (UAC) bypass than WastedLocker; however, both implementations are taken directly from the open-source UACME project (https[:]//github[.]com/hfiref0x/UACME).

-Hades writes a single ransom note named HOW-TO-DECRYPT-[extension].txt to traversed directories, as opposed to WastedLocker’s and BitPaymer’s approach of creating a note for each encrypted file.

-Hades ransomware now stores the key information in each encrypted file rather than the ransom note. Both WastedLocker and BitPaymer stored the encoded and encrypted key information in the file-specific ransom notes.

-While Hades still copies itself to a generated subdirectory in Application Data, it no longer uses the :bin Alternate Data Stream (ADS). The use of the :bin ADS path was characteristic of both WastedLocker and BitPaymer.

“Since the OFAC sanctions and DOJ indictments against the group and its members, INDRIK SPIDER’s continued diversification has demonstrated the group’s significant resources and operational resilience. INDRIK SPIDER’s ability to adapt and overcome adversity has been illustrated in their continual advances in their campaigns, implementation of new tools, and adoption of third-party products and services. The development of their tradecraft has almost certainly been prompted by the legal action taken against them. The continued development of WastedLocker ransomware is the latest attempt by the notorious adversary to distance themselves from known tooling to aid them in bypassing the sanctions imposed upon them. The sanctions and indictments have undoubtedly significantly impacted the group and have made it difficult for INDRIK SPIDER to successfully monetize their criminal endeavors,” the researchers concluded.

Back to the list

Latest Posts

Amid Pegasus scandal, Israel bans cyber software sales to 65 countries

Amid Pegasus scandal, Israel bans cyber software sales to 65 countries

Dropped countries include such countries as Morocco, Mexico, Saudi Arabia, or the UAE.
26 November 2021
CronRAT: New Linux malware that hides behind February 31 to stay undetected

CronRAT: New Linux malware that hides behind February 31 to stay undetected

The malware hides in the Linux calendar system and enables server-side Magecart data theft which bypasses browser-based security solutions.
26 November 2021
New malware campaign targets crypto, NFT and DeFi communities via Discord

New malware campaign targets crypto, NFT and DeFi communities via Discord

The Babadeda crypter is able to bypass signature-based antivirus solutions and was previously observed in malicious campaigns distributing RATs, and LockBit ransomware.
26 November 2021