Infection Vectors: Unauthorized Access, Living off the Land Attack, Spam Emails, Redirection attack, Phishing, Social Engineering, DNS Poisoning
Targeted Sectors: Manufacturing, Information Technology, Media, Transportation, Financial Services, Government/Military, Healthcare, Electronics, Communications
Targeted Regions: Eastern and Western Europe, North America, South America, Central America, Africa
Motive: Ransom, Data Theft
Threat Level: Very High
The name Evil Corp is inspired by a fictional multinational corporation from the cybercrime-based television TV show Mr. Robot. This well-known, infamous cybercrime enterprise is allegedly based out of Moscow, Russia. The group is known for using malicious programs to steal money from victims' bank accounts. Active since 2009, it has targeted a plethora of bank accounts around the world, stealing hundreds of millions of dollars. It is believed to be amongst the world's largest and most dangerous hacking groups. The adversary uses Zeus malware and Dridex banking Trojan in its campaigns. Further, it has been observed leveraging ransomware families such as Jaff, Locky, Bart, BitPaymer, PayloadBin, WastedLocker, and Hades.
From 2009 to 2016, this cybercrime enterprise used various types of malware (Locky, Bart, Jaff, and BitPaymer) to target user machines. One of its famous malware, Dridex, uses a combination of several techniques which allow it to automatically steal banking credentials. Dridex is spread via phishing email campaigns, often reaching a frequency of millions of messages per day. Usually, its targets receive seemingly genuine emails with a malicious link in the body of the message to infect targeted machines. More recent changes to Dridex help in the installation of ransomware. These changes were, however, observed in late 2010 when ransomware started gaining popularity in the underground marketplaces. The ransomware incidents from 2020 involved the use of TTPs previously linked with SilverFish, the sophisticated cyber-espionage group associated with the SolarWinds attack. The attacks would begin with a drive-by download that eventually leads to the installation of a backdoor providing access to the victim machine. In the second stage of payload, actors deploy Cobalt Strike, which begins network discovery activities within a few mins and takes over the full infrastructure within four hours. Although the adversary is able to obtain access to Active Directory within hours, internal reconnaissance and data discovery start after a week. During this stage, the attacker uninstalls security software, while the Wasted Locker ransomware gets deployed only a month after the initial attack.
In 2019, the U.S. Treasury Department announced new sanctions on Evil Corp for using malware for stealing more than $100 million from hundreds of financial institutions. After being sanctioned, the group disappeared for a brief period of time only to return back in action in January 2021. Soon, it started rebranding its ransomware operations with different names (Phoenix, WastedLocker, and Hades) to avoid these sanctions. In April 2021, the group was observed portraying itself as the Babuk group and claimed to quit its ransomware activities. Later, in the month of June, when the Babuk Locker operators rebranded their leak site as PayloadBin leak portal, around the same time Evil Corp also rebranded itself as a new group named payload bin. The recent rebranded version was seen adding ‘.PAYLOADBIN’ extension to encrypted files. It was an attempt made by Evil Corp to dupe victims into violating the Office of Foreign Assets Control (OFAC) regulations.
Evil Corp is believed to be operated by Russian nationals Igor Turashevand and Maksim Yakubets, who were charged by the U.S. in 2019. Prior to the indictment, Yakubets had been working for Russian intelligence since 2017. According to the new evidence by Truesec security researchers, Evil Corp shares a close relationship with the Kremlin. and has evolved into a cyberespionage group launching ransomware attacks to hide its true goals.
Steps to be taken
Evil Corp employs different types of malware and keeps modifying them to attack its targets. To avoid such sophisticated attacks, organizations need to have a multi-layered approach toward infrastructure security. This can include a reliable anti-malware solution and robust security mechanisms for all points of entry attackers can use, for example, email and websites. In addition, enterprises are urged to educate their employees on ways to identify malicious and spamming emails. Moreover, they can deploy data encryption measures to protect important data and networks against such threats. As for ransomware attacks now prominently used by Evil Corp, security experts suggest staying up-to-date, taking regular backup of important data, and making a response plan for ransomware attack situations.
Evil Corp’s close relation with Russian intelligence resulted in the sophisticated threat actor evolving from a financially motivated cybercrime organization to a full-fledged cyberespionage group. Even though the group is still deploying ransomware, it may no longer be motivated by financial gain, and possibly leaning towards spying activities. It does little to force victims into paying the ransom, as observed by experts. It is likely that the entire Wasted Locker/Hades ransomware campaigns were pre-planned deception to hide their cyberespionage campaign. There is a possibility that they are using the deception of ransomware operations to hide their true espionage-related goals.
Indicator of Compromise
e657ff4838e474653b55367aa9d4a0641b35378e2e379ad0fdd1631b3b763ef0 ea310cc4fd4e8669e014ff417286da5edf2d3bef20abfb0a4f4951afe260d33d 0dfcf4d5f66310de87c2e422d7804e66279fe3e3cd6a27723225aecf214e9b00 fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
CDN endpoint for Domain Fronting to C2 Server
Post-Exploitation IP Addresses
Custom CobaltStrike loader samples
Gozi samples (sha256 hashes)
WastedLocker samples (sha256 hashes)