← All Threat Actors
Threat Actor Profile

INDRIK SPIDER

DEV-0243 Evil Corp G0119 Manatee Tempest UNC2165
▲ High Threat
INDRIK SPIDER is a sophisticated eCrime group that has been operating Dridex since June 2014. In 2015 and 2016, Dridex was one of the most prolific eCrime banking trojans on the market and, since 2014, those efforts are thought to have netted INDRIK SPIDER millions of dollars in criminal profits. Throughout its years of operation, Dridex has received multiple updates with new modules developed and new anti-analysis features added to the malware. In August 2017, a new ransomware variant identified as BitPaymer was reported to have ransomed the U.K.’s National Health Service (NHS), with a high ransom demand of 53 BTC (approximately $200,000 USD). The targeting of an organization rather than individuals, and the high ransom demands, made BitPaymer stand out from other contemporary ransomware at the time. Though the encryption and ransom functionality of BitPaymer was not technically sophisticated, the malware contained multiple anti-analysis features that overlapped with Dridex. Later technical analysis of BitPaymer indicated that it had been developed by INDRIK SPIDER, suggesting the group had expanded its criminal operation to include ransomware as a monetization strategy.
Origin Russia

Known TTPs

LSASS Memory
Malware
Create Account
Modify Registry
Match Legitimate Resource Name or Location
System Service Discovery
Acquire Infrastructure
Disable or Modify Tools
Local Data Staging
Remote Desktop Protocol
Password Managers
Gather Victim Network Information
PowerShell
Domain Accounts
Credentials In Files
Exfiltration to Cloud Storage
Windows Command Shell
Group Policy Modification
Windows Management Instrumentation
Valid Accounts
Data Encrypted for Impact
Clear Windows Event Logs
Local Account
Remote System Discovery
JavaScript
Email Accounts
Ingress Tool Transfer
Service Stop
Query Registry
Kerberoasting
Malicious File
SSH
Server

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD