Skip to content

G0119 Indrik Spider

Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware.123

Item Value
ID G0119
Associated Names Evil Corp
Version 2.1
Created 06 January 2021
Last Modified 15 September 2022
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Evil Corp 23

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Indrik Spider has used PowerShell Empire for execution of malware.14
enterprise T1059.003 Windows Command Shell Indrik Spider has used batch scripts on victim’s machines.1
enterprise T1059.007 JavaScript Indrik Spider has used malicious JavaScript files for several components of their attack.4
enterprise T1584 Compromise Infrastructure -
enterprise T1584.004 Server Indrik Spider has served fake updates via legitimate websites that have been compromised.1
enterprise T1136 Create Account Indrik Spider used wmic.exe to add a new user to the system.4
enterprise T1486 Data Encrypted for Impact Indrik Spider has encrypted domain-controlled systems using BitPaymer.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Indrik Spider has stored collected date in a .tmp file.4
enterprise T1484 Domain Policy Modification -
enterprise T1484.001 Group Policy Modification Indrik Spider has used Group Policy Objects to deploy batch scripts.1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Indrik Spider used PsExec to leverage Windows Defender to disable scanning of all downloaded files and to restrict real-time monitoring.4
enterprise T1070 Indicator Removal -
enterprise T1070.001 Clear Windows Event Logs Indrik Spider has used Cobalt Strike to empty log files.4
enterprise T1105 Ingress Tool Transfer Indrik Spider has downloaded additional scripts, malware, and tools onto a compromised host.14
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Indrik Spider used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Indrik Spider used Cobalt Strike to carry out credential dumping using ProcDump.4
enterprise T1018 Remote System Discovery Indrik Spider has used PowerView to enumerate all Windows Server, Windows Server 2003, and Windows 7 instances in the Active Directory database.4
enterprise T1489 Service Stop Indrik Spider has used PsExec to stop services prior to the execution of ransomware.4
enterprise T1007 System Service Discovery Indrik Spider has used the win32_service WMI class to retrieve a list of services from the system.4
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Indrik Spider has attempted to get users to click on a malicious zipped file.4
enterprise T1078 Valid Accounts -
enterprise T1078.002 Domain Accounts Indrik Spider has collected credentials from infected systems, including domain accounts.1
enterprise T1047 Windows Management Instrumentation Indrik Spider has used WMIC to execute commands on remote computers.4

Software

ID Name References Techniques
S0570 BitPaymer 12 Bypass User Account Control:Abuse Elevation Control Mechanism Token Impersonation/Theft:Access Token Manipulation Local Account:Account Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Service:Create or Modify System Process Data Encrypted for Impact Execution Guardrails Windows File and Directory Permissions Modification:File and Directory Permissions Modification NTFS File Attributes:Hide Artifacts Timestomp:Indicator Removal Inhibit System Recovery Modify Registry Native API Network Share Discovery Obfuscated Files or Information Query Registry Remote System Discovery System Service Discovery
S0154 Cobalt Strike 2 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Domain Account:Account Discovery Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Application Layer Protocol BITS Jobs Browser Session Hijacking Visual Basic:Command and Scripting Interpreter Python:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Process Hollowing:Process Injection Process Injection Dynamic-link Library Injection:Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services SSH:Remote Services Remote Desktop Protocol:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0695 Donut 5 Web Protocols:Application Layer Protocol JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Python:Command and Scripting Interpreter Disable or Modify Tools:Impair Defenses Indicator Removal Ingress Tool Transfer Native API Obfuscated Files or Information Software Packing:Obfuscated Files or Information Process Discovery Process Injection Reflective Code Loading
S0384 Dridex 123 Web Protocols:Application Layer Protocol Browser Session Hijacking Symmetric Cryptography:Encrypted Channel Asymmetric Cryptography:Encrypted Channel Native API Obfuscated Files or Information Multi-hop Proxy:Proxy Proxy Remote Access Software Software Discovery System Information Discovery Malicious File:User Execution
S0363 Empire 1 Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation SID-History Injection:Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Automated Collection Automated Exfiltration Shortcut Modification:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution Browser Information Discovery Clipboard Data PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Command and Scripting Interpreter Domain Account:Create Account Local Account:Create Account Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Code Repository:Exfiltration Over Web Service Exfiltration to Cloud Storage:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Search Order Hijacking:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Credential API Hooking:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Kerberoasting:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Credentials In Files:Unsecured Credentials Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation
S0002 Mimikatz 1 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0029 PsExec 4 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0612 WastedLocker 52 Bypass User Account Control:Abuse Elevation Control Mechanism Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data Encrypted for Impact Deobfuscate/Decode Files or Information File and Directory Discovery Windows File and Directory Permissions Modification:File and Directory Permissions Modification NTFS File Attributes:Hide Artifacts Hidden Files and Directories:Hide Artifacts DLL Search Order Hijacking:Hijack Execution Flow Inhibit System Recovery Modify Registry Native API Network Share Discovery Binary Padding:Obfuscated Files or Information Obfuscated Files or Information Peripheral Device Discovery Query Registry Service Execution:System Services System Checks:Virtualization/Sandbox Evasion

References

  1. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. 

  2. Podlosky, A., Feeley, B. (2021, March 17). INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions. Retrieved September 15, 2021. 

  3. U.S. Department of Treasury. (2019, December 5). Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware. Retrieved September 15, 2021. 

  4. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021. 

  5. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.