Researchers have investigated multiple LockBit intrusions that they attribute to a threat cluster sharing numerous overlaps with the well known Evil Corp cybercriminal group. The use of LockBit would signify a notable shift in tactics for the group, which researchers believe is part of an effort to both evade detection and sidestep the 2019 sanctions placed on Evil Corp by the U.S. government.
The financially motivated threat cluster in question, called UNC2165, has significant similarities to campaigns that have been publicly attributed to Evil Corp. For instance, the actor relies heavily on an infection chain called FakeUpdates - a multi-stage JavaScript dropper that typically masquerades as a browser update - to obtain initial access. Researchers also noted overlaps in the infrastructure and ransomware used by the two groups.
“Based on the overlaps between UNC2165 and Evil Corp, we assess with high confidence that these actors have shifted away from using exclusive ransomware variants to LockBit — a well-known ransomware as a service (RaaS) — in their operations, likely to hinder attribution efforts in order to evade sanctions,” said researchers with Mandiant in a Thursday analysis.
Previously, Evil Corp-affiliated activity was associated with a number of ransomware variants, including Bitpaymer, Doppelpaymer, WastedLocker, and most recently, the Hades ransomware.
Researchers said that this UNC2165 activity, which dates back to June 2020, likely represents another evolution in Evil Corp-affiliated actors' operations since the 2019 Treasury Department Office of Foreign Assets Control (OFAC) sanctions against Evil Corp individuals for their roles in campaigns involving the Dridex malware. Since the sanctions, Evil Corp-affiliated actors have reduced activity around Dridex to enable intrusions, instead relying on the development of new ransomware families in order to obscure attribution. Four months after the sanctions were announced, for instance, researchers at NCC Group saw Evil Corp attackers using the previously unknown WastedLocker ransomware variant.
The widespread use of LockBit by several different threat actors over the past few years makes it an attractive choice for the attackers, said researchers. The RaaS has been advertised in underground forums since 2020 and has a prominent affiliate program. The use of this ransomware would allow UNC2165 to blend in with other affiliates while the previous ransomware the group exclusively used was more easily attributable.
“We expect these actors as well as others who are sanctioned in the future to take steps such as these to obscure their identities in order to ensure that it is not a limiting factor to receiving payments from victims.”
“Additionally, the frequent code updates and rebranding of HADES required development resources and it is plausible that UNC2165 saw the use of LockBit as a more cost-effective choice,” said researchers. “The use of a RaaS would eliminate the ransomware development time and effort allowing resources to be used elsewhere, such as broadening ransomware deployment operations.”
The research provides hints about how cybercriminals move forward after they have been hit by sanctions, which has been a popular method by the U.S. government to crack down on certain threat groups, though opinions are mixed about how effective sanctions actually are in combating ransomware. It also shows how the RaaS model in general effectively conceals cybercriminal gangs who may be well known, allowing threat groups or even state actors to leverage the model to anonymously carry out their operations.
Upon closer examination of UNC2165, researchers were able to track how the tactics used as part of the activity cluster have evolved over time in ransomware attacks. In 2021, for instance, the actors leveraged publicly available loaders like the Donut loader to deploy Beacon payloads; however, since late 2021 the actors has started using the Colorfake (also known as Blister) dropper. The actors have taken several common approaches for privilege escalation, including mimikatz attacks, the targeting of authentication data stored in the Windows registry and searching for files associated with password managers or that may contain plaintext credentials. Researchers also noted that based on information from trusted sensitive sources and underground forum activity, they have “moderate confidence” that a particular unnamed actor operating on underground forums is affiliated with UNC2165.
Moving forward, Mandiant researchers believe it may be possible for the actors behind UNC2165 to “continue to take additional steps to distance themselves from the Evil Corp name.”
“Some evidence of this developing trend already exists given UNC2165 has leveraged stolen credentials in a subset of intrusions, which is consistent with a suspected member’s underground forum activity,” said researchers. “We expect these actors as well as others who are sanctioned in the future to take steps such as these to obscure their identities in order to ensure that it is not a limiting factor to receiving payments from victims.”