Evil Corp - A Threat Actor with Multiple Alter Egos

Evil Corp - A Threat Actor with Multiple Alter Egos - Featured Image

Research and Analysis June 23, 2021

Origin: 2009

Alias: TA505

Infection Vectors: Unauthorized Access, Living off the Land Attack, Spam Emails, Redirection attack, Phishing, Social Engineering, DNS Poisoning

Targeted Sectors: Manufacturing, Information Technology, Media, Transportation, Financial Services, Government/Military, Healthcare, Electronics, Communications

Targeted Regions: Eastern and Western Europe, North America, South America, Central America, Africa

Motive: Ransom, Data Theft

Threat Level: Very High

Introduction

The name Evil Corp is inspired by a fictional multinational corporation from the cybercrime-based television TV show Mr. Robot. This well-known, infamous cybercrime enterprise is allegedly based out of Moscow, Russia. The group is known for using malicious programs to steal money from victims' bank accounts. Active since 2009, it has targeted a plethora of bank accounts around the world, stealing hundreds of millions of dollars. It is believed to be amongst the world's largest and most dangerous hacking groups. The adversary uses Zeus malware and Dridex banking Trojan in its campaigns. Further, it has been observed leveraging ransomware families such as Jaff, Locky, Bart, BitPaymer, PayloadBin, WastedLocker, and Hades.

Infection Vectors

From 2009 to 2016, this cybercrime enterprise used various types of malware (Locky, Bart, Jaff, and BitPaymer) to target user machines. One of its famous malware, Dridex, uses a combination of several techniques which allow it to automatically steal banking credentials. Dridex is spread via phishing email campaigns, often reaching a frequency of millions of messages per day. Usually, its targets receive seemingly genuine emails with a malicious link in the body of the message to infect targeted machines. More recent changes to Dridex help in the installation of ransomware. These changes were, however, observed in late 2010 when ransomware started gaining popularity in the underground marketplaces.

The ransomware incidents from 2020 involved the use of TTPs previously linked with SilverFish, the sophisticated cyber-espionage group associated with the SolarWinds attack. The attacks would begin with a drive-by download that eventually leads to the installation of a backdoor providing access to the victim machine. In the second stage of payload, actors deploy Cobalt Strike, which begins network discovery activities within a few mins and takes over the full infrastructure within four hours. Although the adversary is able to obtain access to Active Directory within hours, internal reconnaissance and data discovery start after a week. During this stage, the attacker uninstalls security software, while the Wasted Locker ransomware gets deployed only a month after the initial attack.

Rebranding Efforts

In 2019, the U.S. Treasury Department announced new sanctions on Evil Corp for using malware for stealing more than $100 million from hundreds of financial institutions. After being sanctioned, the group disappeared for a brief period of time only to return back in action in January 2021. Soon, it started rebranding its ransomware operations with different names (Phoenix, WastedLocker, and Hades) to avoid these sanctions. In April 2021, the group was observed portraying itself as the Babuk group and claimed to quit its ransomware activities. Later, in the month of June, when the Babuk Locker operators rebranded their leak site as PayloadBin leak portal, around the same time Evil Corp also rebranded itself as a new group named payload bin. The recent rebranded version was seen adding ‘.PAYLOADBIN’ extension to encrypted files. It was an attempt made by Evil Corp to dupe victims into violating the Office of Foreign Assets Control (OFAC) regulations.

Attribution

Evil Corp is believed to be operated by Russian nationals Igor Turashevand and Maksim Yakubets, who were charged by the U.S. in 2019. Prior to the indictment, Yakubets had been working for Russian intelligence since 2017. According to the new evidence by Truesec security researchers, Evil Corp shares a close relationship with the Kremlin. and has evolved into a cyberespionage group launching ransomware attacks to hide its true goals.

Steps to be taken

Evil Corp employs different types of malware and keeps modifying them to attack its targets. To avoid such sophisticated attacks, organizations need to have a multi-layered approach toward infrastructure security. This can include a reliable anti-malware solution and robust security mechanisms for all points of entry attackers can use, for example, email and websites. In addition, enterprises are urged to educate their employees on ways to identify malicious and spamming emails. Moreover, they can deploy data encryption measures to protect important data and networks against such threats. As for ransomware attacks now prominently used by Evil Corp, security experts suggest staying up-to-date, taking regular backup of important data, and making a response plan for ransomware attack situations.

Conclusion

Evil Corp’s close relation with Russian intelligence resulted in the sophisticated threat actor evolving from a financially motivated cybercrime organization to a full-fledged cyberespionage group. Even though the group is still deploying ransomware, it may no longer be motivated by financial gain, and possibly leaning towards spying activities. It does little to force victims into paying the ransom, as observed by experts. It is likely that the entire Wasted Locker/Hades ransomware campaigns were pre-planned deception to hide their cyberespionage campaign. There is a possibility that they are using the deception of ransomware operations to hide their true espionage-related goals.

Indicator of Compromise

**PayloadBin **

Filename

PAYLOADBIN-README[.]txt

File Extention

.PAYLOADBIN

SHA256 hashes

69775389eb0207fec3a3f5649a0ad9315856c810f595c086ac49d68cdbc1d136

Hades Ransomware

SHA256

e657ff4838e474653b55367aa9d4a0641b35378e2e379ad0fdd1631b3b763ef0 ea310cc4fd4e8669e014ff417286da5edf2d3bef20abfb0a4f4951afe260d33d 0dfcf4d5f66310de87c2e422d7804e66279fe3e3cd6a27723225aecf214e9b00 fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87

IP

185[.]162[.]131[.]99

185[.]250[.]151[.]33

185[.]63[.]253[.]131

8[.]208[.]22[.]215

82[.]148[.]28[.]9

8[.]208[.]16[.]206

119[.]18[.]58[.]41

Domains

currentteach[.]com

newschools[.]info

mega[.]nz

Filename

HOW-TO-DECRYPT-[extension].txt

**WastedLocker **

File Extention

.garminwasted

File name

garminwasted_info

CDN endpoint for Domain Fronting to C2 Server

twimg-us[.]azureedge[.]net

CDN Domains

cdn[.]auditor[.]adobe[.]com

images[.]adsyndication[.]msn[.]com

lp-cdn[.]lastpass[.]com

Post-Exploitation Domains

roofingspecialists[.]info/file

Post-Exploitation IP Addresses

185[.]82[.]127[.]86

66[.]58[.]201[.]137

**CobaltStrike **

C &C Domains

adsmarketart[.]com

advancedanalysis[.]be

advertstv[.]com

amazingdonutco[.]com

cofeedback[.]com

consultane[.]com

dns[.]proactiveads[.]be

mwebsoft[.]com

rostraffic[.]com

traffichi[.]com

typiconsult[.]com

websitelistbuilder[.]com

**Custom CobaltStrike loader samples **

SHA256 hashes

2f72550c99a297558235caa97d025054f70a276283998d9686c282612ebdbea0

389f2000a22e839ddafb28d9cf522b0b71e303e0ae89e5fc2cd5b53ae9256848

3dfb4e7ca12b7176a0cf12edce288b26a970339e6529a0b2dad7114bba0e16c3

714e0ed61b0ae779af573dce32cbc4d70d23ca6cfe117b63f53ed3627d121feb

810576224c148d673f47409a34bd8c7f743295d536f6d8e95f22ac278852a45f

83710bbb9d8d1cf68b425f52f2fb29d5ebbbd05952b60fb3f09e609dfcf1976c

91e18e5e048b39dfc8d250ae54471249d59c637e7a85981ab0c81cf5a4b8482d

adabf8c1798432b766260ac42ccdd78e0a4712384618a2fc2e3695ff975b0246

b0354649de6183d455a454956c008eb4dec093141af5866cc9ba7b314789844d

bc1c5fecadc752001826b736810713a86cfa64979b3420ab63fe97ba7407f068

c781c56d8c8daedbed9a15fb2ece165b96fdda1a85d3beeba6bb3bc23e917c90

c7cde31daa7f5d0923f9c7591378b4992765eac12efa75c1baaaefa5f6bdb2b6

f093b0006ef5ac52aa1d51fee705aa3b7b10a6af2acb4019b7bc16da4cabb5a1

**Gozi **

C &C Domains

bettyware[.]xyz

celebratering[.]xyz

fakeframes[.]xyz

gadgetops[.]xyz

hotphonecall[.]xyz

justbesarnia[.]xyz

kordelservers[.]xyz

tritravlife[.]xyz

veisllc[.]xyz

wineguroo[.]xyz

Gozi samples (sha256 hashes)

5706e1b595a9b7397ff923223a6bc4e4359e7b1292eaed5e4517adc65208b94b

ba71ddcab00697f42ccc7fc67c7a4fccb92f6b06ad02593a972d3beb8c01f723

c20292af49b1f51fac1de7fd4b5408ed053e3ebfcb4f0566a2d4e7fafadde757

cf744b04076cd5ee456c956d95235b68c2ec3e2f221329c45eac96f97974720a

WastedLocker samples (sha256 hashes)

5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367

887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d

8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80

bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8

e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb

ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3

Related Threat Briefings