Skip to content

G0119 Indrik Spider

Indrik Spider is a Russia-based cybercriminal group that as been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware.123

Item Value
ID G0119
Associated Names Evil Corp
Version 2.1
Created 06 January 2021
Last Modified 25 March 2022
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Evil Corp 23

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Indrik Spider has used PowerShell Empire for execution of malware.14
enterprise T1059.003 Windows Command Shell Indrik Spider has used batch scripts on victim’s machines.1
enterprise T1059.007 JavaScript Indrik Spider has used malicious JavaScript files for several components of their attack.4
enterprise T1584 Compromise Infrastructure -
enterprise T1584.004 Server Indrik Spider has served fake updates via legitimate websites that have been compromised.1
enterprise T1136 Create Account Indrik Spider used wmic.exe to add a new user to the system.4
enterprise T1486 Data Encrypted for Impact Indrik Spider has encrypted domain-controlled systems using BitPaymer.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Indrik Spider has stored collected date in a .tmp file.4
enterprise T1484 Domain Policy Modification -
enterprise T1484.001 Group Policy Modification Indrik Spider has used Group Policy Objects to deploy batch scripts.1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Indrik Spider used PsExec to leverage Windows Defender to disable scanning of all downloaded files and to restrict real-time monitoring.4
enterprise T1070 Indicator Removal on Host -
enterprise T1070.001 Clear Windows Event Logs Indrik Spider has used Cobalt Strike to empty log files.4
enterprise T1105 Ingress Tool Transfer Indrik Spider has downloaded additional scripts, malware, and tools onto a compromised host.14
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Indrik Spider used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Indrik Spider used Cobalt Strike to carry out credential dumping using ProcDump.4
enterprise T1018 Remote System Discovery Indrik Spider has used PowerView to enumerate all Windows Server, Windows Server 2003, and Windows 7 instances in the Active Directory database.4
enterprise T1489 Service Stop Indrik Spider has used PsExec to stop services prior to the execution of ransomware.4
enterprise T1007 System Service Discovery Indrik Spider has used the win32_service WMI class to retrieve a list of services from the system.4
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Indrik Spider has attempted to get users to click on a malicious zipped file.4
enterprise T1078 Valid Accounts -
enterprise T1078.002 Domain Accounts Indrik Spider has collected credentials from infected systems, including domain accounts.1
enterprise T1047 Windows Management Instrumentation Indrik Spider has used WMIC to execute commands on remote computers.4

Software

ID Name References Techniques
S0570 BitPaymer 12 Bypass User Account Control:Abuse Elevation Control Mechanism Token Impersonation/Theft:Access Token Manipulation Local Account:Account Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Service:Create or Modify System Process Data Encrypted for Impact Execution Guardrails Windows File and Directory Permissions Modification:File and Directory Permissions Modification NTFS File Attributes:Hide Artifacts Timestomp:Indicator Removal on Host Inhibit System Recovery Modify Registry Native API Network Share Discovery Obfuscated Files or Information Query Registry Remote System Discovery System Service Discovery
S0154 Cobalt Strike - Bypass User Account Control:Abuse Elevation Control Mechanism Sudo and Sudo Caching:Abuse Elevation Control Mechanism Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Token Impersonation/Theft:Access Token Manipulation Domain Account:Account Discovery Application Layer Protocol DNS:Application Layer Protocol Web Protocols:Application Layer Protocol BITS Jobs Browser Session Hijacking Python:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Commonly Used Port Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Asymmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Modify Registry Multiband Communication Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Dynamic-link Library Injection:Process Injection Process Hollowing:Process Injection Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services Remote Desktop Protocol:Remote Services SMB/Windows Admin Shares:Remote Services Distributed Component Object Model:Remote Services SSH:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0695 Donut - Web Protocols:Application Layer Protocol JavaScript:Command and Scripting Interpreter Python:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Command and Scripting Interpreter Disable or Modify Tools:Impair Defenses Indicator Removal on Host Ingress Tool Transfer Native API Obfuscated Files or Information Software Packing:Obfuscated Files or Information Process Discovery Process Injection Reflective Code Loading
S0384 Dridex - Web Protocols:Application Layer Protocol Browser Session Hijacking Symmetric Cryptography:Encrypted Channel Asymmetric Cryptography:Encrypted Channel Native API Obfuscated Files or Information Multi-hop Proxy:Proxy Proxy Remote Access Software Software Discovery System Information Discovery Malicious File:User Execution
S0363 Empire - Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation SID-History Injection:Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Shortcut Modification:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Bookmark Discovery Clipboard Data Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Commonly Used Port Domain Account:Create Account Local Account:Create Account Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Cloud Storage:Exfiltration Over Web Service Exfiltration to Code Repository:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow Timestomp:Indicator Removal on Host Ingress Tool Transfer Credential API Hooking:Input Capture Keylogging:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Golden Ticket:Steal or Forge Kerberos Tickets Kerberoasting:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Private Keys:Unsecured Credentials Credentials In Files:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation
S0002 Mimikatz - SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores LSA Secrets:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Rogue Domain Controller Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0029 PsExec - Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0612 WastedLocker - Bypass User Account Control:Abuse Elevation Control Mechanism Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data Encrypted for Impact Deobfuscate/Decode Files or Information File and Directory Discovery Windows File and Directory Permissions Modification:File and Directory Permissions Modification NTFS File Attributes:Hide Artifacts Hidden Files and Directories:Hide Artifacts DLL Search Order Hijacking:Hijack Execution Flow Inhibit System Recovery Modify Registry Native API Network Share Discovery Obfuscated Files or Information Binary Padding:Obfuscated Files or Information Peripheral Device Discovery Query Registry Service Execution:System Services System Checks:Virtualization/Sandbox Evasion

References

Back to top