1. Home
  2. Groups
  3. Indrik Spider

Indrik Spider

Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. Following U.S. sanctions and an indictment in 2019, Indrik Spider changed their tactics and diversified their toolset.[1][2][3]

ID: G0119
Associated Groups: Evil Corp, Manatee Tempest, DEV-0243, UNC2165
Contributors: Jennifer Kim Roman, CrowdStrike; Liran Ravich, CardinalOps
Version: 4.1
Created: 06 January 2021
Last Modified: 28 October 2024

Associated Group Descriptions

Name Description
Evil Corp

[2][3]
Manatee Tempest

[4]
DEV-0243

[4]
UNC2165

[5]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

Indrik Spider has used WMIC to execute commands on remote computers.[6]

Enterprise T1555 .005 从密码存储中获取凭证: Password Managers

Indrik Spider has accessed and exported passwords from password managers.[5]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

Indrik Spider used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors.[1]
Enterprise T1112 修改注册表

Indrik Spider has modified registry keys to prepare for ransomware execution and to disable common administrative utilities.[5]
Enterprise T1136 创建账户

Indrik Spider used wmic.exe to add a new user to the system.[6]
.001 Local Account

Indrik Spider has created local system accounts and has added the accounts to privileged groups.[5]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Indrik Spider has used PowerShell Empire for execution of malware.[1][6]

.003 命令与脚本解释器: Windows Command Shell

Indrik Spider has used batch scripts on victim's machines.[1][5]
.007 命令与脚本解释器: JavaScript

Indrik Spider has used malicious JavaScript files for several components of their attack.[6]
Enterprise T1484 .001 域或租户策略修改: Group Policy Modification

Indrik Spider has used Group Policy Objects to deploy batch scripts.[1][5]
Enterprise T1584 .004 基础设施妥协: Server

Indrik Spider has served fake updates via legitimate websites that have been compromised.[1]

Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

Indrik Spider used PsExec to leverage Windows Defender to disable scanning of all downloaded files and to restrict real-time monitoring.[6] Indrik Spider has used MpCmdRun to revert the definitions in Microsoft Defender.[5] Additionally, Indrik Spider has used WMI to stop or uninstall and reset anti-virus products and other defensive services.[5]
Enterprise T1585 .002 建立账户: Email Accounts

Indrik Spider has created email accounts to communicate with their ransomware victims, to include providing payment and decryption details.[1]
Enterprise T1587 .001 开发能力: Malware

Indrik Spider has developed malware for their operations, including ransomware such as BitPaymer and WastedLocker.[1]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

Indrik Spider used Cobalt Strike to carry out credential dumping using ProcDump.[6]
Enterprise T1590 收集受害者网络信息

Indrik Spider has downloaded tools, such as the Advanced Port Scanner utility and Lansweeper, to conduct internal reconnaissance of the victim network. Indrik Spider has also accessed the victim’s VMware VCenter, which had information about host configuration, clusters, etc.[5]
Enterprise T1074 .001 数据分段: Local Data Staging

Indrik Spider has stored collected data in a .tmp file.[6]
Enterprise T1486 数据加密以实现影响

Indrik Spider has encrypted domain-controlled systems using BitPaymer.[1] Additionally, Indrik Spider used PsExec to execute a ransomware script.[5]
Enterprise T1078 有效账户

Indrik Spider has used valid accounts for initial access and lateral movement.[5] Indrik Spider has also maintained access to the victim environment through the VPN infrastructure.[5]
.002 Domain Accounts

Indrik Spider has collected credentials from infected systems, including domain accounts.[1]
Enterprise T1489 服务停止

Indrik Spider has used PsExec to stop services prior to the execution of ransomware.[6]
Enterprise T1552 .001 未加密凭证: Credentials In Files

Indrik Spider has searched files to obtain and exfiltrate credentials.[5]
Enterprise T1012 查询注册表

Indrik Spider has used a service account to extract copies of the Security Registry hive.[5]
Enterprise T1204 .002 用户执行: Malicious File

Indrik Spider has attempted to get users to click on a malicious zipped file.[6]

Enterprise T1070 .001 移除指标: Clear Windows Event Logs

Indrik Spider has used Cobalt Strike to empty log files.[6] Additionally, Indrik Spider has cleared all event logs using wevutil.[5]

Enterprise T1558 .003 窃取或伪造Kerberos票据: Kerberoasting

Indrik Spider has conducted Kerberoasting attacks using a module from GitHub.[5]
Enterprise T1007 系统服务发现

Indrik Spider has used the win32_service WMI class to retrieve a list of services from the system.[6]

Enterprise T1583 获取基础设施

Indrik Spider has purchased access to victim VPNs to facilitate access to victim environments.[5]

Enterprise T1105 输入工具传输

Indrik Spider has downloaded additional scripts, malware, and tools onto a compromised host.[1][6][5]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

Indrik Spider has used RDP for lateral movement.[5]
.004 远程服务: SSH

Indrik Spider has used SSH for lateral movement.[5]
Enterprise T1018 远程系统发现

Indrik Spider has used PowerView to enumerate all Windows Server, Windows Server 2003, and Windows 7 instances in the Active Directory database.[6]
Enterprise T1567 .002 通过网络服务渗出: Exfiltration to Cloud Storage

Indrik Spider has exfiltrated data using Rclone or MEGASync prior to deploying ransomware.[5]

Software

ID Name References Techniques
S0570 BitPaymer [1][2] 修改注册表, 创建或修改系统进程: Windows Service, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 执行保护, 数据加密以实现影响, 文件和目录权限修改: Windows File and Directory Permissions Modification, 本机API, 查询注册表, 混淆文件或信息: Encrypted/Encoded File, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: Timestomp, 系统恢复抑制, 系统服务发现, 网络共享发现, 访问令牌操控: Token Impersonation/Theft, 账号发现: Local Account, 远程系统发现, 隐藏伪装: NTFS File Attributes
S0154 Cobalt Strike [2][7][5] BITS任务, Windows管理规范, 从本地系统获取数据, 代理: Domain Fronting, 代理: Internal Proxy, 使用备用认证材料: Pass the Hash, 修改注册表, 创建或修改系统进程: Windows Service, 办公应用启动: Office Template Macros, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 反射性代码加载, 反混淆/解码文件或信息, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 客户端执行漏洞利用, 屏幕捕获, 应用层协议: DNS, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 数据传输大小限制, 数据混淆: Protocol or Service Impersonation, 数据编码: Standard Encoding, 文件和目录发现, 有效账户: Domain Accounts, 有效账户: Local Accounts, 本机API, 权限提升漏洞利用, 权限组发现: Domain Groups, 权限组发现: Local Groups, 查询注册表, 浏览器会话劫持, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息, 滥用权限提升控制机制: Sudo and Sudo Caching, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 网络服务发现, 访问令牌操控: Parent PID Spoofing, 访问令牌操控: Token Impersonation/Theft, 访问令牌操控: Make and Impersonate Token, 账号发现: Domain Account, 软件发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 进程注入: Process Hollowing, 进程注入, 远程服务: Remote Desktop Protocol, 远程服务: SSH, 远程服务: Windows Remote Management, 远程服务: SMB/Windows Admin Shares, 远程服务: Distributed Component Object Model, 远程系统发现, 隐藏伪装: Process Argument Spoofing, 非应用层协议, 预定传输, 颠覆信任控制: Code Signing
S0695 Donut [8] 反射性代码加载, 命令与脚本解释器: Python, 命令与脚本解释器, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: JavaScript, 命令与脚本解释器: PowerShell, 妨碍防御: Disable or Modify Tools, 应用层协议: Web Protocols, 本机API, 混淆文件或信息, 混淆文件或信息: Software Packing, 移除指标, 输入工具传输, 进程发现, 进程注入
S0384 Dridex [1][2][3] 代理, 代理: Multi-hop Proxy, 加密通道: Symmetric Cryptography, 加密通道: Asymmetric Cryptography, 劫持执行流: DLL Side-Loading, 应用层协议: Web Protocols, 本机API, 浏览器会话劫持, 混淆文件或信息, 用户执行: Malicious File, 系统二进制代理执行: Regsvr32, 系统信息发现, 软件发现, 远程访问软件, 预定任务/作业: Scheduled Task
S0363 Empire [1] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 事件触发执行: Accessibility Features, 从密码存储中获取凭证: Credentials from Web Browsers, 使用备用认证材料: Pass the Hash, 创建或修改系统进程: Windows Service, 创建账户: Local Account, 创建账户: Domain Account, 剪贴板数据, 加密通道: Asymmetric Cryptography, 劫持执行流: Path Interception by Unquoted Path, 劫持执行流: Path Interception by Search Order Hijacking, 劫持执行流: Path Interception by PATH Environment Variable, 劫持执行流: Dylib Hijacking, 劫持执行流: DLL Search Order Hijacking, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Security Support Provider, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Shortcut Modification, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器, 域信任发现, 域或租户策略修改: Group Policy Modification, 屏幕捕获, 应用层协议: Web Protocols, 归档收集数据, 操作系统凭证转储: LSASS Memory, 文件和目录发现, 未加密凭证: Credentials In Files, 未加密凭证: Private Keys, 本机API, 权限提升漏洞利用, 浏览器信息发现, 混淆文件或信息: Command Obfuscation, 滥用权限提升控制机制: Bypass User Account Control, 电子邮件收集: Local Email Collection, 移除指标: Timestomp, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 系统信息发现, 系统所有者/用户发现, 系统服务: Service Execution, 系统网络连接发现, 系统网络配置发现, 组策略发现, 网络共享发现, 网络嗅探, 网络服务: Bidirectional Communication, 网络服务发现, 自动化收集, 自动化渗出, 视频捕获, 访问令牌操控: SID-History Injection, 访问令牌操控, 访问令牌操控: Create Process with Token, 账号发现: Domain Account, 账号发现: Local Account, 软件发现: Security Software Discovery, 输入工具传输, 输入捕获: Keylogging, 输入捕获: Credential API Hooking, 进程发现, 进程注入, 远程服务: Distributed Component Object Model, 远程服务: SSH, 远程服务漏洞利用, 通过C2信道渗出, 通过网络服务渗出: Exfiltration to Code Repository, 通过网络服务渗出: Exfiltration to Cloud Storage, 预定任务/作业: Scheduled Task
S0002 Mimikatz [1][5] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0029 PsExec [6] 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares
S0612 WastedLocker [8][2][7][9] 修改注册表, 创建或修改系统进程: Windows Service, 劫持执行流: DLL Search Order Hijacking, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 外围设备发现, 数据加密以实现影响, 文件和目录发现, 文件和目录权限修改: Windows File and Directory Permissions Modification, 本机API, 查询注册表, 混淆文件或信息: Binary Padding, 混淆文件或信息: Encrypted/Encoded File, 滥用权限提升控制机制: Bypass User Account Control, 系统恢复抑制, 系统服务: Service Execution, 网络共享发现, 虚拟化/沙盒规避: System Checks, 隐藏伪装: Hidden Files and Directories, 隐藏伪装: NTFS File Attributes

References

  1. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  2. Podlosky, A., Feeley, B. (2021, March 17). INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions. Retrieved September 15, 2021.
  3. U.S. Department of Treasury. (2019, December 5). Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware. Retrieved September 15, 2021.
  4. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  5. Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024.
  1. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
  2. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  3. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  4. Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.