Share Blog Post
Origin: 2009
Alias: TA505
Infection Vectors: Unauthorized Access, Living off the Land Attack, Spam Emails, Redirection attack, Phishing, Social Engineering, DNS Poisoning
Targeted Sectors: Manufacturing, Information Technology, Media, Transportation, Financial Services, Government/Military, Healthcare, Electronics, Communications
Targeted Regions: Eastern and Western Europe, North America, South America, Central America, Africa
Motive: Ransom, Data Theft
Threat Level: Very High
Introduction
The name Evil Corp is inspired by a fictional multinational corporation from the cybercrime-based television TV show Mr. Robot. This well-known, infamous cybercrime enterprise is allegedly based out of Moscow, Russia. The group is known for using malicious programs to steal money from victims' bank accounts. Active since 2009, it has targeted a plethora of bank accounts around the world, stealing hundreds of millions of dollars. It is believed to be amongst the world's largest and most dangerous hacking groups. The adversary uses Zeus malware and Dridex banking Trojan in its campaigns. Further, it has been observed leveraging ransomware families such as Jaff, Locky, Bart, BitPaymer, PayloadBin, WastedLocker, and Hades.
Infection Vectors
From 2009 to 2016, this cybercrime enterprise used various types of malware (Locky, Bart, Jaff, and BitPaymer) to target user machines. One of its famous malware, Dridex, uses a combination of several techniques which allow it to automatically steal banking credentials. Dridex is spread via phishing email campaigns, often reaching a frequency of millions of messages per day. Usually, its targets receive seemingly genuine emails with a malicious link in the body of the message to infect targeted machines. More recent changes to Dridex help in the installation of ransomware. These changes were, however, observed in late 2010 when ransomware started gaining popularity in the underground marketplaces.
The ransomware incidents from 2020 involved the use of TTPs previously linked with SilverFish, the sophisticated cyber-espionage group associated with the SolarWinds attack. The attacks would begin with a drive-by download that eventually leads to the installation of a backdoor providing access to the victim machine. In the second stage of payload, actors deploy Cobalt Strike, which begins network discovery activities within a few mins and takes over the full infrastructure within four hours. Although the adversary is able to obtain access to Active Directory within hours, internal reconnaissance and data discovery start after a week. During this stage, the attacker uninstalls security software, while the Wasted Locker ransomware gets deployed only a month after the initial attack.
Rebranding Efforts
In 2019, the U.S. Treasury Department announced new sanctions on Evil Corp for using malware for stealing more than $100 million from hundreds of financial institutions. After being sanctioned, the group disappeared for a brief period of time only to return back in action in January 2021. Soon, it started rebranding its ransomware operations with different names (Phoenix, WastedLocker, and Hades) to avoid these sanctions. In April 2021, the group was observed portraying itself as the Babuk group and claimed to quit its ransomware activities. Later, in the month of June, when the Babuk Locker operators rebranded their leak site as PayloadBin leak portal, around the same time Evil Corp also rebranded itself as a new group named payload bin. The recent rebranded version was seen adding ‘.PAYLOADBIN’ extension to encrypted files. It was an attempt made by Evil Corp to dupe victims into violating the Office of Foreign Assets Control (OFAC) regulations.
Attribution
Evil Corp is believed to be operated by Russian nationals Igor Turashevand and Maksim Yakubets, who were charged by the U.S. in 2019. Prior to the indictment, Yakubets had been working for Russian intelligence since 2017. According to the new evidence by Truesec security researchers, Evil Corp shares a close relationship with the Kremlin. and has evolved into a cyberespionage group launching ransomware attacks to hide its true goals.
Steps to be taken
Evil Corp employs different types of malware and keeps modifying them to attack its targets. To avoid such sophisticated attacks, organizations need to have a multi-layered approach toward infrastructure security. This can include a reliable anti-malware solution and robust security mechanisms for all points of entry attackers can use, for example, email and websites. In addition, enterprises are urged to educate their employees on ways to identify malicious and spamming emails. Moreover, they can deploy data encryption measures to protect important data and networks against such threats. As for ransomware attacks now prominently used by Evil Corp, security experts suggest staying up-to-date, taking regular backup of important data, and making a response plan for ransomware attack situations.
Conclusion
Evil Corp’s close relation with Russian intelligence resulted in the sophisticated threat actor evolving from a financially motivated cybercrime organization to a full-fledged cyberespionage group. Even though the group is still deploying ransomware, it may no longer be motivated by financial gain, and possibly leaning towards spying activities. It does little to force victims into paying the ransom, as observed by experts. It is likely that the entire Wasted Locker/Hades ransomware campaigns were pre-planned deception to hide their cyberespionage campaign. There is a possibility that they are using the deception of ransomware operations to hide their true espionage-related goals.
Indicator of Compromise
PayloadBin
Filename
PAYLOADBIN-README[.]txt
File Extention
.PAYLOADBIN
SHA256 hashes
69775389eb0207fec3a3f5649a0ad9315856c810f595c086ac49d68cdbc1d136
Hades Ransomware
SHA256
e657ff4838e474653b55367aa9d4a0641b35378e2e379ad0fdd1631b3b763ef0 ea310cc4fd4e8669e014ff417286da5edf2d3bef20abfb0a4f4951afe260d33d 0dfcf4d5f66310de87c2e422d7804e66279fe3e3cd6a27723225aecf214e9b00 fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
IP
185[.]162[.]131[.]99
185[.]250[.]151[.]33
185[.]63[.]253[.]131
8[.]208[.]22[.]215
82[.]148[.]28[.]9
8[.]208[.]16[.]206
119[.]18[.]58[.]41
Domains
currentteach[.]com
newschools[.]info
mega[.]nz
Filename
HOW-TO-DECRYPT-[extension].txt
WastedLocker
File Extention
.garminwasted
File name
garminwasted_info
CDN endpoint for Domain Fronting to C2 Server
twimg-us[.]azureedge[.]net
CDN Domains
cdn[.]auditor[.]adobe[.]com
images[.]adsyndication[.]msn[.]com
lp-cdn[.]lastpass[.]com
Post-Exploitation Domains
roofingspecialists[.]info/file
Post-Exploitation IP Addresses
185[.]82[.]127[.]86
66[.]58[.]201[.]137
CobaltStrike
C&C Domains
adsmarketart[.]com
advancedanalysis[.]be
advertstv[.]com
amazingdonutco[.]com
cofeedback[.]com
consultane[.]com
dns[.]proactiveads[.]be
mwebsoft[.]com
rostraffic[.]com
traffichi[.]com
typiconsult[.]com
websitelistbuilder[.]com
Custom CobaltStrike loader samples
SHA256 hashes
2f72550c99a297558235caa97d025054f70a276283998d9686c282612ebdbea0
389f2000a22e839ddafb28d9cf522b0b71e303e0ae89e5fc2cd5b53ae9256848
3dfb4e7ca12b7176a0cf12edce288b26a970339e6529a0b2dad7114bba0e16c3
714e0ed61b0ae779af573dce32cbc4d70d23ca6cfe117b63f53ed3627d121feb
810576224c148d673f47409a34bd8c7f743295d536f6d8e95f22ac278852a45f
83710bbb9d8d1cf68b425f52f2fb29d5ebbbd05952b60fb3f09e609dfcf1976c
91e18e5e048b39dfc8d250ae54471249d59c637e7a85981ab0c81cf5a4b8482d
adabf8c1798432b766260ac42ccdd78e0a4712384618a2fc2e3695ff975b0246
b0354649de6183d455a454956c008eb4dec093141af5866cc9ba7b314789844d
bc1c5fecadc752001826b736810713a86cfa64979b3420ab63fe97ba7407f068
c781c56d8c8daedbed9a15fb2ece165b96fdda1a85d3beeba6bb3bc23e917c90
c7cde31daa7f5d0923f9c7591378b4992765eac12efa75c1baaaefa5f6bdb2b6
f093b0006ef5ac52aa1d51fee705aa3b7b10a6af2acb4019b7bc16da4cabb5a1
Gozi
C&C Domains
bettyware[.]xyz
celebratering[.]xyz
fakeframes[.]xyz
gadgetops[.]xyz
hotphonecall[.]xyz
justbesarnia[.]xyz
kordelservers[.]xyz
tritravlife[.]xyz
veisllc[.]xyz
wineguroo[.]xyz
Gozi samples (sha256 hashes)
5706e1b595a9b7397ff923223a6bc4e4359e7b1292eaed5e4517adc65208b94b
ba71ddcab00697f42ccc7fc67c7a4fccb92f6b06ad02593a972d3beb8c01f723
c20292af49b1f51fac1de7fd4b5408ed053e3ebfcb4f0566a2d4e7fafadde757
cf744b04076cd5ee456c956d95235b68c2ec3e2f221329c45eac96f97974720a
WastedLocker samples (sha256 hashes)
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367
887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d
8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80
bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8
e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb
ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3
Tags
Posted on: June 23, 2021
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.
The Virtual Cyber Fusion Suite
