Group Overview - Evil Corp






This will be my first post in a series of posts summarizing various cyber actors, including APTs, Cybercrime outfits, and Hacktivist groups. I will be mainly discussing the history of the group and their known and documented activities throughout their existence. I plan on making additional summaries of each group that will delve further into their TTPs and other technical information to compliment this summary.

The first group I will be discussing is the Evil Corp cybercrime outfit. The group is also known to many by the name INDRIK SPIDER, which was coined by the Cybersecurity company CrowdStrike. I decided to write about the Evil Corp group first due to the fact that they are still very relevant in 2020, as just a few days ago, Symantec published a report discussing a widespread attempted ransomware attack against various U.S. companies carried out by the Evil Corp group earlier this month.

Evil Corp is an extremely sophisticated threat actor. They are capable of developing their own strains of malware, carrying out extremely targeted and methodical attacks, and maintaining persistent access to a machine or network after obtaining an initial foothold. They should be considered one of the most advanced threat actors in the cybercrime world, on par with the Maze and Emotet threat actors.




ORIGINS: 



The origins of the Evil Corp group were not unlike many other cybercrime outfits to come out of Eastern Europe in the 2000's and 2010's. Although their origin was unique in many ways, the primary motivation for their existence was of course to carry out acts of cybercrime for financial gain. Cybercriminals are very adept at investing their knowledge of programming, networking, and security into committing various crimes almost solely for the purpose of theft, fraud, and extortion.

That being said, in order to explain the origins of the Evil Corp cybercrime group, it is important to first mention someone who will be mentioned constantly throughout this summary, that being a person initially known only by the handle “Aqua” on various cybercrime websites in the late 2000s and early 2010s. Aqua also used other pseudonyms and handles from time to time but to make things simple, I will be referring to him solely as "Aqua" from here on out.

Security researchers and journalists first stumbled across Aqua in 2009, where he was known to be a prominent user on various websites created specifically to recruit “money mules” who would unknowingly be assisting in the withdrawal of fraudulent money transfers made by cybercriminals. This was and still is a common scam among cybercriminals especially those located in Russia or Ukraine.

According to an article from KrebsOnSecurity, these hired mules would first be prompted to create accounts for various bank websites which they would populate with personal and bank account data. Then, when deemed trustworthy by their "employers", the mules would be prompted to visit the bank in person after receiving a message from the criminals requesting that funds be withdrawn and wired to individuals in Eastern Europe who they believed to be associated with their employer. [1]

Although it is not officially known when Aqua initially began his career in cybercrime, this appears to be the first acknowledged sighting of his activities. His next known activities were in relation to the spread of the Jabber ZeuS malware and it’s supposed creator, Evgeniy Mikhaylovich Bogachev and the “Business Club” cybercrime outfit.


Bogachev, ZeuS Author. 



I made a post summarizing the history of the ZeuS malware and Bogachev in greater depth here. ZeuS was a prolific Trojan that was repurposed and repackaged many times, each with different purposes and capabilities in order to accomplish the specific goals of its creators. 'Jabber ZeuS' was one such variation of the Trojan, and its main purpose was to capture specific information like one-time-passwords in real time and forward them to the attackers using the Jabber/XMPP protocol.

Although Aqua and other members of the Business Club coordinated in the spread of ZeuS throughout the early 2010’s, the group which would eventually come to be known as Evil Corp was not yet established. It appears as though the Business Club was a sort of cybercrime collective, made up of primarily Russian and other Eastern European cybercriminals who would often collaborate with one another if it was deemed beneficial. It is not known if Aqua knew Bogachev in person, but what has been confirmed is that Aqua and Bogachev regularly communicated via the Internet.

It was not until a report by CrowdStrike in 2018, which detailed their initial analysis of the INDRIK SPIDER group, that Evil Corp or INDRIK SPIDER was not an official group until 2014, when it was most likely formed by Aqua, along with other various cybercriminals associated with the Business Club collective. [2]



DRIDEX, NECURS, & BITPAYMER:







For those unfamiliar, Dridex was a banking Trojan that originated in the early 2010’s that eventually surpassed ZeuS as the most prolific banking Trojan in use by cybercriminals. Although not announced to the world until 2019, Aqua and other hackers were alleged to be the purveyors and distributors of the Dridex malware. Dridex, like Gameover ZeuS, was designed to also engage in botnet-like activity. According to a BitSight article, in 2015 alone there were 9 separate Dridex botnets in operation, with almost all bots compromised through spam phishing, and all designed to steal information from the victim’s machine and forward it to servers controlled by the criminals. [3]

Although Dridex did grow to become a successful botnet, it eventually suffered the same fate as most others did. In late 2015, the FBI was able to successfully seize and sinkhole multiple servers that were being used as C2 servers by who were now being referred to publicly as Evil Corp. This seizure by the FBI crippled the botnet operator’s activities, however many researchers were confident that it was only a matter of time before the Evil Corp actors were back with another operation. [4]

In the announcement by the U.S. Department of Justice, a few arrests were also made, specifically Andrey Ghinkul, who was believed to be one of the primary disseminators of the Dridex Trojan. [5]

In a research article from FireEye in January 2016, most researchers were proved right when it was reported that the Dridex botnet operators resumed their coordinated and targeted spam campaigns before, and during the 2015 holiday season. [6]

Dridex remained relevant throughout 2016 and even 2017 although it was never as successful as it was back in 2015. Although this information was not known publicly until late 2019, over the next few years Aqua was suspected to be working for the Russian Federation's security agency known as the FSB. While it may seem strange at first that a known cybercriminal was working for a Russian intelligence agency, it was not actually something new. Russian intelligence and security services have been known to pay and often employ cybercriminals and hacktivists to collect information from infected computers located in countries strategically important to Russian interests. A summary of the history of this type of activity was reported on by Cybereason in 2017. [7]

Although Dridex was never as successful as it was on its own back in 2015, it did not necessarily have to rely on an existing Dridex botnet to propagate itself any longer, enter the Necurs botnet. To those unaware, Necurs was a massive spam botnet that had been around since 2012, and coexisted with the Gameover ZeuS and Dridex botnets, even assisting in the spread of the malware and management of the botnet infrastructure. In 2016 specifically, it was reported that the Necurs botnet operators and Evil Corp partnered in what appeared to be a mutual agreement to spread the Dridex malware through the Necurs botnet spam capabilities. The Necurs botnet was also known to spread the infamous Locky ransomware, which is thought to have been developed by the criminals behind the Necurs botnet itself. [8]

In an article from ThreatPost in 2016, Necurs had an estimated 6 million bots in total, and it’s its primary purpose was still to engage in massive spam campaigns to spread Locky and Dridex specifically. [9]

In 2017, Evil Corp (INDRIK SPIDER) was reported on by CrowdStrike to be spreading the BitPaymer ransomware via targeted Dridex infections. The report mentions that in 2017 specifically, Dridex spread and development slowed significantly, and it was mainly only used to deliver the BitPaymer ransomware. BitPaymer was first seen in August of 2017, when it was seen to be targeting hospitals in Scotland. [2]






In November of 2018, an update was made to BitPaymer which enhanced the ransom note, and cryptographic mechanism for encrypting files. Then, in June 2019 a new strain of ransomware similar to BitPaymer was revealed, known as “DoppelPaymer.” DoppelPaymer was different from BitPaymer in that the ransom note was again slightly altered, the encryption algorithms were modified to make decryption efforts even more difficult, and a few new features were added to enhance its functionality. Both BitPaymer and it's close relative DoppelPaymer are believed to have been written and spread by the Evil Group themselves. This is just another example of the group's capabilities in comparison to other cybercrime outfits, as they have proven that they are constantly willing to put in the effort to develop new malware to keep potential victims off-guard and to maintain their relevance and status in the cybercrime world. [10]



CURRENT:



In late 2019, Aqua’s real-world identity was revealed when the U.S. Department of Justice charged him, real name Maksim V. Yakubets, and a co-conspirator named Igor Turashev, with crimes dating back to his initial crimes and association with the ZeuS malware, and up to his management of the Dridex malware. 







In the indictment, every known act of criminal activity undertaken by Yakubets and his co-conspirators is documented, which includes every successful theft from victims who were compromised by the Dridex Trojan. [11]

The FBI also announced a reward of up to 5 million dollars for information leading to the arrest of Yakubets specifically, who was now thought to be the leader of the Evil Corp cybercrime group. This reward surpassed the 3-million-dollar reward for Bogachev, the ZeuS mastermind, and is currently the highest ever reward for a cybercriminal. [12]

In an indictment by Nebraska’s District Court in 2019, it appears as though U.S. authorities may have known Aqua’s identity since at least 2010/2011. According to the indictment, in 2010 “U.S. authorities transmitted a mutual legal assistance request to Russian authorities concerning “aqua.” Russian authorities produced a response that, in pertinent part, attributed the moniker to DEFENDANT. The response included numerous affidavits from Russian law enforcement officials concerning their investigation, which was initiated to effectuate the mutual legal assistance request.” The indictment further states that Russian law enforcement were able to provide information to U.S. authorities regarding email messages sent to what was discovered to be Aqua’s .ru email address. Some emails were addressed to Aqua’s real name, which was then discovered to be Maksim Yakubets. The indictment continues with further evidence collected by U.S. authorities that allowed them to fully verify Yakubets as being Aqua and the leader of Evil Corp. [13]

However, it was not long after the indictment by the U.S. Department of Justice that Evil Corp returned. In an article from Threatpost on January 31st, 2020, researchers made it known that the Evil Corp group were seen to be engaging in phishing campaigns utilizing HTML redirects instead of malicious email attachments as they had done in the past. It was also reported that the malware used in the campaigns was instead the GraceWire Trojan and not Dridex. At this point in time, Dridex has somewhat fallen by the wayside in favor of other banking and infostealer Trojans. [14]

Then, in March 2020, a major action by Microsoft was undertaken which disrupted the Necurs botnet. According to the report by Microsoft, the action was a result of over 8 years of analysis and tracking and was done in coordination with partners across 35 countries. The takedown was similar to other botnet takedowns, in that Microsoft was able to predict “over six million” potential domain names generated by the malware’s DGA (Domain Generation Algorithm), and report them to their partners overseas so that action could be taken to register the domain names in advance. [15]



Necurs botnet heatmap.



Although the Necurs botnet was not thought to be under the leadership of Evil Corp, it was closely associated with the group and was a very important factor in the spread of Evil Corp malware.

Although further attacks continued throughout 2020, a potential campaign was not reported until June 23rd 2020 when the NCC Group reported on a new ransomware strain which they attributed to the Evil Corp group. According to the report, the new ransomware was called “WastedLocker”, and had been known to researchers since the previous month. Furthermore, it was believed by the NCC Group that Evil Corp was in the midst of a process to modify it’s TTPs in order to distance the group from Yakubets and Turashev. [16]

WastedLocker is different in many ways to BitPaymer, as it no longer relies on a Dridex infection, instead utilizing the SocGholish update framework. To put it simply, SocGholish is a malware framework that delivers zip files to users masquerading as Google Chrome updates, but instead actually containing malicious JavaScript files. Next, further malware is downloaded, including a loader and an injector which in-turn loads the CobaltStrike beacon. If you do not know what CobaltStrike is, it is a legitimate penetration testing framework frequently used by malicious threat actors due to its power and simple functionality. [17]

Then, 2 days after the report by the NCC Group, Symantec published a report on June 25th 2020, which detailed a wide scale attack on various businesses in the United States by Evil Corp, using the WastedLocker ransomware. Symantec was able to determine that at least 31 corporations were attacked, however the deployment of the WastedLocker ransomware was stopped when Symantec’s advanced cloud analytics software was able to warn it’s customers of the impending attack. [17]

These attacks, although thankfully stopped, should not be simply waved off as another failed attempt by cybercriminals to carry out their activities. Although the report does not go into detail about how many businesses were successfully penetrated, and if they were, how far along the infection process was, it appears that there were at least a few successful intrusions. The fact that Evil Corp was able to coordinate an attack on 31 identified businesses simultaneously, and potentially even come close to deploying the ransomware itself, should be a massive wake up call to businesses. Motivated threat actors like Evil Corp will adapt and do whatever they can to stay ahead of our defenses, and it is really only a matter of time before they are able to replicate this attack successfully.



Types of businesses targeted by WastedLocker. 



CONCLUSION:


The WastedLocker attacks, being only a few days removed from this post, are what pushed me over the edge and made me decide to write about Evil Corp and make it my first 'Group Summary' post.

As I stated at the very beginning of this post, Evil Corp or INDRIK SPIDER is an incredibly sophisticated threat easily on par with the other prolific cybercrime actors and even on par with certain APT actors. The fact that they have been able to continue their activities and stay relevant in the cybercrime world for over 6 years now truly is a testament to their capabilities. It does not appear that the Russian/Eastern European cybercrime world will be going away anytime soon. That being said, whether Yakubets remains in control of the group or whether he is currently hiding away in order to avoid attention by U.S. authorities remains to be seen.

I plan on updating this post if any attacks attributed to Evil Corp come to light. I also plan on writing an analysis of Evil Group's TTPs which will include a more in-depth technical analysis.

Thank you for reading!

 2024 UPDATE:


Although this is a reupload of my original post from my initial blog which no longer exists, I wanted to take the time to provide an update to the activity of the Evil Corp hacking group as of 2024.

As of 2024, it does appear that the Evil Corp group has more or less decided to decrease the level of their activity, likely due to the increased attention from U.S. authorities. There's also the fact that we know that there is a ton of overlap with many of the Russian cybercrime groups and it is simply possible that the members or leaders of Evil Corp have either been absorbed into another cybercrime group or are operating under a different moniker. 

In 2021 it was reported that Evil Corp had rebranded their previous Ransomware strain, WastedLocker, as a new Ransomware strain known as MacawLocker. It was advised that only 2 known organizations were affected by this specific strain of ransomware, Olympus, a Japanese manufacturer/technology company, and Sinclair Broadcast Group, a U.S. based telecom conglomerate. It was not disclosed by either company whether or not they paid the ransom. [18]

In June of 2022 it was advised by Mandiant that a new cluster of activity that they refer to as UNC2165, shares numerous overlaps with the Evil Corp cybercrime threat actor. It is also advised by Mandiant that this cluster of activity that likely has ties to Evil Corp, decided to give up on using their own custom ransomware strains and instead prefers now to exclusively utilize the Lockbit ransomware as a service to evade targeted attribution by the authorities. [19]

As of 2024 it does not appear that any attacks, breaches, disruptions, etc. have been attributed specifically to the Evil Corp group with confidence. 


SOURCES:


https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/

https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/

https://www.bitsight.com/blog/dridex-botnets

https://www.theregister.com/2015/10/14/dridex_botnet_takedown/

https://www.justice.gov/opa/pr/bugat-botnet-administrator-arrested-and-malware-disabled

https://www.fireeye.com/blog/threat-research/2016/01/dridex_botnet_resume.html

https://www.cybereason.com/blog/blog-russia-nation-state-hacking-the-countrys-dedicated-policy-of-strategic-ambiguity

https://securityintelligence.com/the-necurs-botnet-a-pandoras-box-of-malicious-spam/

https://threatpost.com/necurs-botnet-is-back-updated-with-smarter-locky-variant/118883/

https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/

https://www.justice.gov/opa/press-release/file/1223586/download

https://www.fbi.gov/news/stories/charges-announced-in-malware-conspiracy-120519

https://assets.bwbx.io/documents/users/iqjWHBFdfxIU/rUjoDemqvVf0/v0

https://threatpost.com/evil-corp-returns-with-new-malware-infection-tactic/152430/

https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/

https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us


A capybara with an interest in security.

Comments

  1. AnonymousApril 29, 2024 at 6:48 PM

    This was very informative!! Thank you for the update dude 😎

    ReplyDelete

Post a Comment

Popular posts from this blog

TryHackMe CTF Walkthrough - "Simple CTF"

Image
Note: This is a reupload of a CTF walkthrough from my original website which no longer exists. Tonight I'll be providing a writeup on the TryHackMe box "Simple CTF" similar to my writeup on Blue. TryHackMe is another great and incredibly educational site dedicated to teaching learners about offensive and defensive cybersecurity. As always, it's typical to start with a basic Nmap scan.  This is one of the typical Nmap scans that I like to run on TryHackMe and HacktheBox machines. It will take longer than most scans due to the enumeration being performed by the vulnerability script. Another I will typically run is - nmap -sC -sV -A x.x.x.x This is an aggressive service scan with default scripts enabled. Here we have quite a bit of output, the bulk of it being a list of CVE's for the specific version of Apache web server running on the target machine. As we can see, Port 21 (FTP), Port 80 (HTTP), and Port 2222 (SSH) are currently open on the target machine. We can al...
Read more

Malware Overview - ZeuS

Image
 Note: This is a reupload of my writeup of the history of the ZeuS malware from my original website. INTRODUCTION:  Image Source:  https://www.bankinfosecurity.com/zeus-banking-trojan-spawn-alive-kicking-a-10471 When discussing the history of malware, you are more than likely going to hear the same few names over and over again. Conficker, Welchia, ILOVEYOU, Stuxnet, Flame, CryptoLocker, Dridex, and even newer malware like WannaCrypt0r, Emotet, and Maze.  What is left behind but stands atop the lesser remembered malware of the last fifteen years in particular is the ZeuS or Zbot Trojan and its successor, the Gameover ZeuS Trojan. This will be a historical summary of the ZeuS and Gameover ZeuS Trojans, beginning from its initial discovery and ending in the current year.  I will be using a variety of sources for my analysis. This is NOT a technical analysis of the malware, simply a historical account. I plan on writing a full technical analysis of the ZeuS and Gam...
Read more