Indrik Spider

Indrik Spider is a financially motivated threat group that has leveraged the Dridex banking trojan since at least June 2014 and delivered ransomware variants since 2017.[1]

ID: G0119
Version: 1.0
Created: 06 January 2021
Last Modified: 20 April 2021

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Indrik Spider has used PowerShell Empire for execution of malware.[1]

.003 Command and Scripting Interpreter: Windows Command Shell

Indrik Spider has used batch scripts on victim's machines.[1]

Enterprise T1584 .004 Compromise Infrastructure: Server

Indrik Spider has served fake updates via legitimate websites that have been compromised.[1]

Enterprise T1486 Data Encrypted for Impact

Indrik Spider has encrypted domain-controlled systems using BitPaymer.[1]

Enterprise T1484 .001 Domain Policy Modification: Group Policy Modification

Indrik Spider has used Group Policy Objects to deploy batch scripts.[1]

Enterprise T1105 Ingress Tool Transfer

Indrik Spider has downloaded and installed the Dridex loader on compromised machines.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Indrik Spider used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors.[1]

Enterprise T1078 .002 Valid Accounts: Domain Accounts

Indrik Spider has collected credentials from infected systems, including domain accounts.[1]

Software

ID Name References Techniques
S0570 BitPaymer [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Token Impersonation/Theft, Account Discovery: Local Account, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Create or Modify System Process: Windows Service, Data Encrypted for Impact, Execution Guardrails, File and Directory Permissions Modification: Windows File and Directory Permissions Modification, Hide Artifacts: NTFS File Attributes, Indicator Removal on Host: Timestomp, Inhibit System Recovery, Modify Registry, Native API, Network Share Discovery, Obfuscated Files or Information, Query Registry, Remote System Discovery, System Service Discovery
S0384 Dridex [1] Application Layer Protocol: Web Protocols, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Man in the Browser, Proxy, Remote Access Software
S0363 Empire [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Create Process with Token, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Account Discovery: Domain Account, Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Archive Collected Data, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Bookmark Discovery, Clipboard Data, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Command and Scripting Interpreter: PowerShell, Commonly Used Port, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exfiltration Over Web Service: Exfiltration to Code Repository, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: Dylib Hijacking, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Native API, Network Service Scanning, Network Share Discovery, Network Sniffing, Obfuscated Files or Information, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0002 Mimikatz [1] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket

References