1. Home
  2. Groups
  3. Indrik Spider

Indrik Spider

Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. Following U.S. sanctions and an indictment in 2019, Indrik Spider changed their tactics and diversified their toolset.[1][2][3]

ID: G0119
Associated Groups: Evil Corp, Manatee Tempest, DEV-0243, UNC2165
Contributors: Jennifer Kim Roman, CrowdStrike; Liran Ravich, CardinalOps
Version: 4.1
Created: 06 January 2021
Last Modified: 28 October 2024
Version Permalink

Associated Group Descriptions

Name Description
Evil Corp

[2][3]
Manatee Tempest

[4]
DEV-0243

[4]
UNC2165

[5]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 Acquire Infrastructure

Indrik Spider has purchased access to victim VPNs to facilitate access to victim environments.[5]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Indrik Spider has used PowerShell Empire for execution of malware.[1][6]

.003 Command and Scripting Interpreter: Windows Command Shell

Indrik Spider has used batch scripts on victim's machines.[1][5]
.007 Command and Scripting Interpreter: JavaScript

Indrik Spider has used malicious JavaScript files for several components of their attack.[6]
Enterprise T1584 .004 Compromise Infrastructure: Server

Indrik Spider has served fake updates via legitimate websites that have been compromised.[1]

Enterprise T1136 Create Account

Indrik Spider used wmic.exe to add a new user to the system.[6]
.001 Local Account

Indrik Spider has created local system accounts and has added the accounts to privileged groups.[5]
Enterprise T1555 .005 Credentials from Password Stores: Password Managers

Indrik Spider has accessed and exported passwords from password managers.[5]
Enterprise T1486 Data Encrypted for Impact

Indrik Spider has encrypted domain-controlled systems using BitPaymer.[1] Additionally, Indrik Spider used PsExec to execute a ransomware script.[5]
Enterprise T1074 .001 Data Staged: Local Data Staging

Indrik Spider has stored collected data in a .tmp file.[6]
Enterprise T1587 .001 Develop Capabilities: Malware

Indrik Spider has developed malware for their operations, including ransomware such as BitPaymer and WastedLocker.[1]
Enterprise T1484 .001 Domain or Tenant Policy Modification: Group Policy Modification

Indrik Spider has used Group Policy Objects to deploy batch scripts.[1][5]
Enterprise T1585 .002 Establish Accounts: Email Accounts

Indrik Spider has created email accounts to communicate with their ransomware victims, to include providing payment and decryption details.[1]
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Indrik Spider has exfiltrated data using Rclone or MEGASync prior to deploying ransomware.[5]
Enterprise T1590 Gather Victim Network Information

Indrik Spider has downloaded tools, such as the Advanced Port Scanner utility and Lansweeper, to conduct internal reconnaissance of the victim network. Indrik Spider has also accessed the victim’s VMware VCenter, which had information about host configuration, clusters, etc.[5]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Indrik Spider used PsExec to leverage Windows Defender to disable scanning of all downloaded files and to restrict real-time monitoring.[6] Indrik Spider has used MpCmdRun to revert the definitions in Microsoft Defender.[5] Additionally, Indrik Spider has used WMI to stop or uninstall and reset anti-virus products and other defensive services.[5]
Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

Indrik Spider has used Cobalt Strike to empty log files.[6] Additionally, Indrik Spider has cleared all event logs using wevutil.[5]

Enterprise T1105 Ingress Tool Transfer

Indrik Spider has downloaded additional scripts, malware, and tools onto a compromised host.[1][6][5]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Indrik Spider used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors.[1]
Enterprise T1112 Modify Registry

Indrik Spider has modified registry keys to prepare for ransomware execution and to disable common administrative utilities.[5]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Indrik Spider used Cobalt Strike to carry out credential dumping using ProcDump.[6]
Enterprise T1012 Query Registry

Indrik Spider has used a service account to extract copies of the Security Registry hive.[5]
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Indrik Spider has used RDP for lateral movement.[5]
.004 Remote Services: SSH

Indrik Spider has used SSH for lateral movement.[5]
Enterprise T1018 Remote System Discovery

Indrik Spider has used PowerView to enumerate all Windows Server, Windows Server 2003, and Windows 7 instances in the Active Directory database.[6]
Enterprise T1489 Service Stop

Indrik Spider has used PsExec to stop services prior to the execution of ransomware.[6]
Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

Indrik Spider has conducted Kerberoasting attacks using a module from GitHub.[5]
Enterprise T1007 System Service Discovery

Indrik Spider has used the win32_service WMI class to retrieve a list of services from the system.[6]

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Indrik Spider has searched files to obtain and exfiltrate credentials.[5]
Enterprise T1204 .002 User Execution: Malicious File

Indrik Spider has attempted to get users to click on a malicious zipped file.[6]

Enterprise T1078 Valid Accounts

Indrik Spider has used valid accounts for initial access and lateral movement.[5] Indrik Spider has also maintained access to the victim environment through the VPN infrastructure.[5]
.002 Domain Accounts

Indrik Spider has collected credentials from infected systems, including domain accounts.[1]
Enterprise T1047 Windows Management Instrumentation

Indrik Spider has used WMIC to execute commands on remote computers.[6]

Software

ID Name References Techniques
S0570 BitPaymer [1][2] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Token Impersonation/Theft, Account Discovery: Local Account, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Create or Modify System Process: Windows Service, Data Encrypted for Impact, Execution Guardrails, File and Directory Permissions Modification: Windows File and Directory Permissions Modification, Hide Artifacts: NTFS File Attributes, Indicator Removal: Timestomp, Inhibit System Recovery, Modify Registry, Native API, Network Share Discovery, Obfuscated Files or Information: Encrypted/Encoded File, Query Registry, Remote System Discovery, System Service Discovery
S0154 Cobalt Strike [2][7][5] Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol or Service Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Impair Defenses: Disable or Modify Tools, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Network Service Discovery, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: Domain Fronting, Proxy: Internal Proxy, Query Registry, Reflective Code Loading, Remote Services: Remote Desktop Protocol, Remote Services: SSH, Remote Services: Windows Remote Management, Remote Services: SMB/Windows Admin Shares, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Domain Accounts, Valid Accounts: Local Accounts, Windows Management Instrumentation
S0695 Donut [8] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Python, Command and Scripting Interpreter, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: PowerShell, Impair Defenses: Disable or Modify Tools, Indicator Removal, Ingress Tool Transfer, Native API, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Process Discovery, Process Injection, Reflective Code Loading
S0384 Dridex [1][2][3] Application Layer Protocol: Web Protocols, Browser Session Hijacking, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Hijack Execution Flow: DLL Side-Loading, Native API, Obfuscated Files or Information, Proxy, Proxy: Multi-hop Proxy, Remote Access Software, Scheduled Task/Job: Scheduled Task, Software Discovery, System Binary Proxy Execution: Regsvr32, System Information Discovery, User Execution: Malicious File
S0363 Empire [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Access Token Manipulation: Create Process with Token, Account Discovery: Domain Account, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data, Automated Collection, Automated Exfiltration, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Browser Information Discovery, Clipboard Data, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain or Tenant Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Code Repository, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Discovery, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Dylib Hijacking, Hijack Execution Flow: DLL Search Order Hijacking, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Native API, Network Service Discovery, Network Share Discovery, Network Sniffing, Obfuscated Files or Information: Command Obfuscation, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0002 Mimikatz [1][5] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0029 PsExec [6] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0612 WastedLocker [8][2][7][9] Abuse Elevation Control Mechanism: Bypass User Account Control, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encrypted for Impact, Deobfuscate/Decode Files or Information, File and Directory Discovery, File and Directory Permissions Modification: Windows File and Directory Permissions Modification, Hide Artifacts: Hidden Files and Directories, Hide Artifacts: NTFS File Attributes, Hijack Execution Flow: DLL Search Order Hijacking, Inhibit System Recovery, Modify Registry, Native API, Network Share Discovery, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information: Encrypted/Encoded File, Peripheral Device Discovery, Query Registry, System Services: Service Execution, Virtualization/Sandbox Evasion: System Checks

References

  1. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  2. Podlosky, A., Feeley, B. (2021, March 17). INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions. Retrieved September 15, 2021.
  3. U.S. Department of Treasury. (2019, December 5). Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware. Retrieved September 15, 2021.
  4. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  5. Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024.
  1. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
  2. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  3. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  4. Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.