Indrik Spider

Indrik Spider is a Russia-based cybercriminal group that as been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware.[1][2][3]

ID: G0119
Associated Groups: Evil Corp
Version: 2.0
Created: 06 January 2021
Last Modified: 15 October 2021

Associated Group Descriptions

Name Description
Evil Corp

[2][3]

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Indrik Spider has used PowerShell Empire for execution of malware.[1][4]

.003 Command and Scripting Interpreter: Windows Command Shell

Indrik Spider has used batch scripts on victim's machines.[1]

.007 Command and Scripting Interpreter: JavaScript

Indrik Spider has used malicious JavaScript files for several components of their attack.[4]

Enterprise T1584 .004 Compromise Infrastructure: Server

Indrik Spider has served fake updates via legitimate websites that have been compromised.[1]

Enterprise T1136 Create Account

Indrik Spider used wmic.exe to add a new user to the system.[4]

Enterprise T1486 Data Encrypted for Impact

Indrik Spider has encrypted domain-controlled systems using BitPaymer.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

Indrik Spider has stored collected date in a .tmp file.[4]

Enterprise T1484 .001 Domain Policy Modification: Group Policy Modification

Indrik Spider has used Group Policy Objects to deploy batch scripts.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Indrik Spider used PsExec to leverage Windows Defender to disable scanning of all downloaded files and to restrict real-time monitoring.[4]

Enterprise T1070 .001 Indicator Removal on Host: Clear Windows Event Logs

Indrik Spider has used Cobalt Strike to empty log files.[4]

Enterprise T1105 Ingress Tool Transfer

Indrik Spider has downloaded additional scripts, malware, and tools onto a compromised host.[1][4]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Indrik Spider used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors.[1]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Indrik Spider used Cobalt Strike to carry out credential dumping using ProcDump.[4]

Enterprise T1018 Remote System Discovery

Indrik Spider has used PowerView to enumerate all Windows Server, Windows Server 2003, and Windows 7 instances in the Active Directory database.[4]

Enterprise T1489 Service Stop

Indrik Spider has used PsExec to stop services prior to the execution of ransomware.[4]

Enterprise T1007 System Service Discovery

Indrik Spider has used the win32_service WMI class to retrieve a list of services from the system.[4]

Enterprise T1204 .002 User Execution: Malicious File

Indrik Spider has attempted to get users to click on a malicious zipped file.[4]

Enterprise T1078 .002 Valid Accounts: Domain Accounts

Indrik Spider has collected credentials from infected systems, including domain accounts.[1]

Enterprise T1047 Windows Management Instrumentation

Indrik Spider has used WMIC to execute commands on remote computers.[4]

Software

ID Name References Techniques
S0570 BitPaymer [1][2] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Token Impersonation/Theft, Account Discovery: Local Account, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Create or Modify System Process: Windows Service, Data Encrypted for Impact, Execution Guardrails, File and Directory Permissions Modification: Windows File and Directory Permissions Modification, Hide Artifacts: NTFS File Attributes, Indicator Removal on Host: Timestomp, Inhibit System Recovery, Modify Registry, Native API, Network Share Discovery, Obfuscated Files or Information, Query Registry, Remote System Discovery, System Service Discovery
S0154 Cobalt Strike [2] Abuse Elevation Control Mechanism: Bypass User Account Control, Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: JavaScript, Commonly Used Port, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Multiband Communication, Native API, Network Service Scanning, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection, Process Injection: Process Hollowing, Process Injection: Dynamic-link Library Injection, Protocol Tunneling, Proxy: Internal Proxy, Proxy: Domain Fronting, Query Registry, Reflective Code Loading, Remote Services: SMB/Windows Admin Shares, Remote Services: Windows Remote Management, Remote Services: SSH, Remote Services: Remote Desktop Protocol, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Signed Binary Proxy Execution: Rundll32, Software Discovery, Subvert Trust Controls: Code Signing, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Local Accounts, Valid Accounts: Domain Accounts, Windows Management Instrumentation
S0384 Dridex [1][2][3] Application Layer Protocol: Web Protocols, Browser Session Hijacking, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Native API, Obfuscated Files or Information, Proxy, Proxy: Multi-hop Proxy, Remote Access Software, Software Discovery, System Information Discovery, User Execution: Malicious File
S0363 Empire [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Create Process with Token, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Account Discovery: Domain Account, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Bookmark Discovery, Clipboard Data, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Command and Scripting Interpreter: PowerShell, Commonly Used Port, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exfiltration Over Web Service: Exfiltration to Code Repository, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Discovery, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: Dylib Hijacking, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Native API, Network Service Scanning, Network Share Discovery, Network Sniffing, Obfuscated Files or Information, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0002 Mimikatz [1] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0029 PsExec [4] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0612 WastedLocker [5][2] Abuse Elevation Control Mechanism: Bypass User Account Control, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encrypted for Impact, Deobfuscate/Decode Files or Information, File and Directory Discovery, File and Directory Permissions Modification: Windows File and Directory Permissions Modification, Hide Artifacts: NTFS File Attributes, Hide Artifacts: Hidden Files and Directories, Hijack Execution Flow: DLL Search Order Hijacking, Inhibit System Recovery, Modify Registry, Native API, Network Share Discovery, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information, Peripheral Device Discovery, Query Registry, System Services: Service Execution, Virtualization/Sandbox Evasion: System Checks

References