1. Home
  2. Groups
  3. Indrik Spider

Indrik Spider

Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. Following U.S. sanctions and an indictment in 2019, Indrik Spider changed their tactics and diversified their toolset.[1][2][3]

ID: G0119
Associated Groups: Evil Corp, Manatee Tempest, DEV-0243
Contributors: Jennifer Kim Roman, CrowdStrike
Version: 4.0
Created: 06 January 2021
Last Modified: 17 April 2024
Version Permalink

Associated Group Descriptions

Name Description
Evil Corp

[2][3]
Manatee Tempest

[4]
DEV-0243

[4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Indrik Spider has used PowerShell Empire for execution of malware.[1][5]

.003 Command and Scripting Interpreter: Windows Command Shell

Indrik Spider has used batch scripts on victim's machines.[1]

.007 Command and Scripting Interpreter: JavaScript

Indrik Spider has used malicious JavaScript files for several components of their attack.[5]
Enterprise T1584 .004 Compromise Infrastructure: Server

Indrik Spider has served fake updates via legitimate websites that have been compromised.[1]

Enterprise T1136 Create Account

Indrik Spider used wmic.exe to add a new user to the system.[5]
Enterprise T1486 Data Encrypted for Impact

Indrik Spider has encrypted domain-controlled systems using BitPaymer.[1]
Enterprise T1074 .001 Data Staged: Local Data Staging

Indrik Spider has stored collected date in a .tmp file.[5]
Enterprise T1587 .001 Develop Capabilities: Malware

Indrik Spider has developed malware for their operations, including ransomware such as BitPaymer and WastedLocker.[1]
Enterprise T1484 .001 Domain or Tenant Policy Modification: Group Policy Modification

Indrik Spider has used Group Policy Objects to deploy batch scripts.[1]
Enterprise T1585 .002 Establish Accounts: Email Accounts

Indrik Spider has created email accounts to communicate with their ransomware victims, to include providing payment and decryption details.[1]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Indrik Spider used PsExec to leverage Windows Defender to disable scanning of all downloaded files and to restrict real-time monitoring.[5]
Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

Indrik Spider has used Cobalt Strike to empty log files.[5]
Enterprise T1105 Ingress Tool Transfer

Indrik Spider has downloaded additional scripts, malware, and tools onto a compromised host.[1][5]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Indrik Spider used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors.[1]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Indrik Spider used Cobalt Strike to carry out credential dumping using ProcDump.[5]
Enterprise T1018 Remote System Discovery

Indrik Spider has used PowerView to enumerate all Windows Server, Windows Server 2003, and Windows 7 instances in the Active Directory database.[5]
Enterprise T1489 Service Stop

Indrik Spider has used PsExec to stop services prior to the execution of ransomware.[5]
Enterprise T1007 System Service Discovery

Indrik Spider has used the win32_service WMI class to retrieve a list of services from the system.[5]

Enterprise T1204 .002 User Execution: Malicious File

Indrik Spider has attempted to get users to click on a malicious zipped file.[5]

Enterprise T1078 .002 Valid Accounts: Domain Accounts

Indrik Spider has collected credentials from infected systems, including domain accounts.[1]
Enterprise T1047 Windows Management Instrumentation

Indrik Spider has used WMIC to execute commands on remote computers.[5]

Software

ID Name References Techniques
S0570 BitPaymer [1][2] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Token Impersonation/Theft, Account Discovery: Local Account, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Create or Modify System Process: Windows Service, Data Encrypted for Impact, Execution Guardrails, File and Directory Permissions Modification: Windows File and Directory Permissions Modification, Hide Artifacts: NTFS File Attributes, Indicator Removal: Timestomp, Inhibit System Recovery, Modify Registry, Native API, Network Share Discovery, Obfuscated Files or Information: Encrypted/Encoded File, Query Registry, Remote System Discovery, System Service Discovery
S0154 Cobalt Strike [2][6] Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Impair Defenses: Disable or Modify Tools, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Network Service Discovery, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: Domain Fronting, Proxy: Internal Proxy, Query Registry, Reflective Code Loading, Remote Services: Remote Desktop Protocol, Remote Services: SSH, Remote Services: Windows Remote Management, Remote Services: SMB/Windows Admin Shares, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Domain Accounts, Valid Accounts: Local Accounts, Windows Management Instrumentation
S0695 Donut [7] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Python, Command and Scripting Interpreter, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: PowerShell, Impair Defenses: Disable or Modify Tools, Indicator Removal, Ingress Tool Transfer, Native API, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Process Discovery, Process Injection, Reflective Code Loading
S0384 Dridex [1][2][3] Application Layer Protocol: Web Protocols, Browser Session Hijacking, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Hijack Execution Flow: DLL Side-Loading, Native API, Obfuscated Files or Information, Proxy, Proxy: Multi-hop Proxy, Remote Access Software, Scheduled Task/Job: Scheduled Task, Software Discovery, System Binary Proxy Execution: Regsvr32, System Information Discovery, User Execution: Malicious File
S0363 Empire [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Access Token Manipulation: Create Process with Token, Account Discovery: Domain Account, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data, Automated Collection, Automated Exfiltration, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Browser Information Discovery, Clipboard Data, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain or Tenant Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Code Repository, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Discovery, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Dylib Hijacking, Hijack Execution Flow: DLL Search Order Hijacking, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Native API, Network Service Discovery, Network Share Discovery, Network Sniffing, Obfuscated Files or Information: Command Obfuscation, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0002 Mimikatz [1] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0029 PsExec [5] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0612 WastedLocker [7][2][6][8] Abuse Elevation Control Mechanism: Bypass User Account Control, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encrypted for Impact, Deobfuscate/Decode Files or Information, File and Directory Discovery, File and Directory Permissions Modification: Windows File and Directory Permissions Modification, Hide Artifacts: Hidden Files and Directories, Hide Artifacts: NTFS File Attributes, Hijack Execution Flow: DLL Search Order Hijacking, Inhibit System Recovery, Modify Registry, Native API, Network Share Discovery, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information: Encrypted/Encoded File, Peripheral Device Discovery, Query Registry, System Services: Service Execution, Virtualization/Sandbox Evasion: System Checks

References

  1. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  2. Podlosky, A., Feeley, B. (2021, March 17). INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions. Retrieved September 15, 2021.
  3. U.S. Department of Treasury. (2019, December 5). Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware. Retrieved September 15, 2021.
  4. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  1. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
  2. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  3. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  4. Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.