«Evil Corp», one of the most active and wanted cybercrime groups of recent years, has apparently emerged from its winter spring hibernation and is ready to resume hunting in cyberspace using «Dridex» - a computer virus of its own design, a banking trojan and a botnet in one bottle.
Before hiding in its lair, in the fall of 2021, «Evil Corp» launched an incredibly aggressive and large-scale campaign to distribute the «Dridex» trojan, which peaked in November 2021, and individual outbreaks were observed until the end of January 2022.
As part of this campaign, the group, as before, actively used a network of compromised legitimate sites and phishing domain names operating in Europe, Asia and South America. In total, we managed to find traces of «Evil Corp» on 664 domains and 582 corresponding servers, most of which were located in the USA, India, Germany, Indonesia and Denmark.
However, as the main basket for distributing «Adam's apples», «Evil Corp» used the well-known sites «OneDrive», «Dropbox», «Slack» and «Transfer», as well as the «Discord» messenger, which accounted for more than 8 thousand links to download components of the «Dridex» trojan. The use of legitimate file storages and messenger strongly reduced the likelihood of detection by anti-virus protection.
The number of unique samples of malware detected by our radars also left no room for doubt about the diligence of the group’s coders: in total, 3498 samples of the trojan «Dridex» and its DLL components, distributed by e-mail under the guise of Excel financial documents with malicious VBA macros or archives containing them, as well as audio and video files distributed through the above-listed file storage and messenger.
But despite the impressive scope and ingenuity, since the beginning of February 2022, the activity of «Dridex» has abruptly stopped, which was initially connected by us with the events in Ukraine. Judging by the numerous publications in the media about the joint activities of the FBI and the Security Service of Ukraine, the latter is the abode for numerous bulletproof hosting services that ensure the functioning of the management infrastructure of cybercrime groups, including possibly
However, as soon as we got used to the «cardiac arrest» on the «Evil Corp» activity chart, in late May - early June 2022, malicious Word and Excel documents with the «Dridex» trojan on board appeared on our radars, shedding light on the true reasons for the long absence of the group on the cyber arena.
The newly appeared «Dridex» loaders that have landed in our quarantine are WinRAR archives, still filed under financial documents. However, instead of documents with malicious macros requiring user participation, the 2022 parcels contain Word and Excel documents, the simple opening of which leads to the exploitation of the 2017 vulnerability «CVE-2017-11882» in the «Microsoft Office» software and the launch of samples of the trojan «Dridex» downloaded from servers of compromised legitimate resources. Ironically, some of the domains distributing malware correspond to the official websites of IT companies - vendors of information security solutions.
The artifacts collected over the past six months allowed us to track in retrospect that legitimate sites used to distribute the «Dridex» trojan were compromised at least in March 2022 and were used to deliver popular on the darknet «RedLine», «Agent Tesla» and «Remcos» trojans. At the same time, in addition to the identity of their hosting sites, the similarity can also be traced in the use of identical «Microsoft Office» documents with the 2017 exploit and the name of malicious processes in infected systems, which clearly indicates the «Evil Corp» group as a single nature of the origin of the identified malicious campaigns.
Obviously, the operators of «Dridex», having supplemented their cyber arsenal with «MaaS» trojans «RedLine», «Agent Tesla» and «Remcos», switched to using a vector of penetration into the system that does not require user interaction, in connection with the long-awaited update by «Microsoft» in early February 2022 of the security policy, prohibiting the execution of macros in «Microsoft Office» documents by default.
Other reasons for using the well-known and outdated exploit of 2017 by such a financially secure group as «Evil Corp», which probably has the resources to purchase expensive 0-day exploits, may be:
- Relevance. Cheap and angry. Despite its venerable age, the exploit still in most cases allows you to break through «Microsoft Office» products and get a download on the target system
- Availability. Only on «GitHub», a primitive search can detect several versions of PoC exploits for automated generation of malicious documents for this vulnerability
- Popularity among other representatives of the cybercriminal community and, as a result, the difficulty of attributing malicious campaigns and groups involved in them. The vulnerability is actively exploited by at least operators of such families of paid and free malware as the above-mentioned «RedLine», «Agent Tesla» and «Remcos», as well as «LokiBot», «FormBook», «AsyncRAT», «Snake Keylogger», «AveMariaRAT»
Currently, it is clearly visible how the cybercriminal world, including its less well-off and organized representatives, is adapting to the new rules of the game imposed by «Microsoft», and actively uses, including age-related and well-known exploits for the products of an american vendor. Of course, such a commotion in the exploit market creates favorable conditions for such major players as «Evil Corp» to dissolve and remain invisible against the background of ongoing large-scale mailings of the same type of malicious documents.