On 4th November 2019 researchers and the media reported a massive ransomware attack against several Spanish companies. Some of this news was exaggerated as it transpired that just two companies confirmed a security incident. However, both companies were attacked by a different threat actor.
This blog post will seek to clarify some details concerning the attack against Everis, which was different to the security incident suffered by Cadena SER (PRISA). The brief analysis is based on IOCs shared through Virus Total. Blueliv analysts assess this with high confidence but it should be noted that they have not been confirmed officially by Everis.
- Everis was infected with BitPaymer (FriedEx/IEncrypt), a targeted ransomware operated by the Dridex Group. Domestic users are not affected by this threat, just businesses
- This security incident is unrelated to the attack suffered by Cadena SER (PRISA)
- There are no confirmations that any other Spanish companies were targeted in the same attack
- According to IOCs, the entry point was a FakeUpdate (SocGholish) installing Dridex (botnet 199) in Everis systems
- From the Dridex infection, the attackers moved laterally using PowerShell Empire and finally executed BitPaymer in specific machines
Ransomware Attack Overview
Due to the lack of official information from Everis different researchers and media started to share different hypotheses concerning this ransomware attack. The ransomware note with a custom message to Everis was leaked in the media as well as some infected files with extension “.3v3r1s” were uploaded to Virus Total.
As a result of this it was possible to better understand the kind of threat faced by Everis. The ransomware note had exactly the same format as the usual ransomware note used by BitPaymer in its infections, and the custom extension is also typical to BitPaymer infections. In this case, the samples related to Everis was bd327754f879ff15b48fc86c741c4f546b9bbae5c1a5ac4c095df05df696ec4f.
The usual modus operandi of the attackers behind BitPaymer is to use Dridex as an entry point to later move laterally in the targeted network. Dridex can be installed in systems via Emotet spam or other methods, but seeing Emotet as the entry point for lateral movement was something that we had not observed previously.
We utilized our sandbox to execute the IOCs shared as Emotet in the Virus Total comment (1d778359ab155cb190b9f2a7086c3bcb4082aa195ff8f754dae2d665fd20aa05 and 628c181e6b9797d8356e43066ae182a45e6c37dbee28d9093df8f0825c342d4c). It transpired that those samples were actually Dridex, belonging to the botnet 199. As this was something expected from the group operating BitPaymer, we assume there was an error in the malware classification but that the IOCs shared might indeed be related to the Everis incident.
Several hypotheses have been proposed regarding the attack vector. As there was a peak of BlueKeep exploitation during the past weekend, some sources pointed to BlueKeep as the source of the attack.
Alternative hypotheses pointed to a malware spam distribution, possibly using Emotet. The Virus Total comment which was apparently leaking Everis information mentioned a compromised website (esancendoc[.]esan[.]edu[.]pe) and a download link belonging to the subdomain click[.]clickanalytics208[.]com.
Knowing that Dridex was used in the attack, Blueliv analysts are more inclined to point towards the spam theory rather than BlueKeep, as this is not the normal behavior of the group operating BitPaymer. However, the domain mentioned on Virus Total, click[.]clickanalytics208[.]com, has a long history of maliciousness related to FakeUpdate applications which dropped different malware families in the past, including Chthonic, AZORult, NetSupport RAT and… Dridex!
The filenames mentioned in the Virus Total comment (Chrome.Update.3f61f4.js and crhome.update.3f61f4.exe) also point in the direction of a FakeUpdate downloaded from the web browser and executed by the user. The group operating this malware distribution network is known as SocGholish and it has been active since several years ago.
It is not confirmed if the victim reached the SocGholish domain via a watering hole (esancendoc[.]esan[.]edu[.]pe), as described in the Virus Total comment or via other ways like spam distribution. As the different IOCs mentioned in this comment have been quite accurate, the watering hole option is quite plausible and it could indeed be the infection vector for the Everis incident.
Bitpaymer Ransomware Attribution
The group behind BitPaymer, known as the Dridex Group or INDRIK SPIDER, also operates Dridex. This is the reason that one of the main infection vectors for BitPaymer is to use existent Dridex infections to infiltrate the network of the targeted organization. Usually, the distribution of Dridex is not highly targeted, but given that it is a large botnet containing various different sub-botnets, those affiliates behind them may choose numerous ways to spread the malware.
The cybercriminals operating the main botnet check the infected machines in the control panel, searching for large or strategically important organizations in order to execute more advanced attacks against them.
They usually execute a handle to back-connect to their PowerShell Empire server where they can control operations more effectively. In the past, the group dropped specific malicious code like POS malware or Anunak/Carbanak. Currently, they are using BitPaymer to try to make the most of the intrusions.
Our usual recommendations to protect against malware infections and ransomware attacks apply in this case. As we have mentioned, the modus operandi of groups operating targeted ransomware like BitPaymer or Ryuk usually take advantage of existent infections. It is therefore common to see FakeUpdates and malware spam as infection points.
With this in mind, Blueliv makes the following recommendations:
- PROTECT AGAINST MALWARE INFECTIONS: use monitoring and threat intelligence tools to detect existing infections in networks and systems. These are particularly effective against those well-known families, such as Dridex and Trickbot
- MONITOR FOR EXPOSED RDP SERVERS: continuously check whether RDP servers are exposed, and ensure that the number of machines exposed externally is limited. It is critical that all of them are regularly patched
- ENSURE STRONG BACKUP POLICIES: make sure backups are made and that these are stored outside the network of the company. It should be noted that groups usually try to destroy backups before infecting a company with ransomware, so ideally backups should be outside of the company network and indeed physical facilities
- EDUCATION, EDUCATION, EDUCATION: most of those threats start from a malicious email or a fake application downloaded from the Internet. All users within any organization, from the management to the newest intern, must be educated in basic cybersecurity skills. Under no circumstances should the only people in the company who can spot a potential threat be the IT or security team.
NB: These IOCs have not been confirmed by Everis, but they are likely related to the incident.