Sophos discovers code similarities in Dridex botnet and

OXFORD, UK, 23 Feb. 10, 2022 (GLOBE NEWSWIRE) — Sophos, a global leader in next-generation cybersecurity, today released a new study, “Dridex Bots Deliver Entropy in Recent Attacks,” which details code similarities in the general purpose of the Dridex botnet and the little-known ransomware, Entropy. The similarities lie in the software packer used to conceal the ransomware code, the malicious subroutines designed to find and hide the commands (API calls), and the subroutines used to decrypt the ciphertext.

Sophos discovered the similarities while investigating two incidents in which attackers used Dridex to distribute Entropy ransomware. These attacks targeted a media company and a regional government agency, using specially crafted and customized versions of the Entropy ransomware dynamic link library (DLL) with the target’s name embedded in the ransomware’s code. In both attacks, the attackers also deployed Cobalt Strike on some of the targets computers and exfiltrated data to cloud storage providers using the legitimate WinRAR compression tool, before launching the ransomware on computers unprotected.

“It is not uncommon for malware operators to share, borrow or steal each other’s code, either to save themselves the effort of creating their own intentionally misleading attribution or to distract security researchers. This approach makes it harder to find evidence that supports a related malware ‘family’ or identify ‘false flags’ that can make it easier for attackers and harder for investigators,” said Andrew Brandt, Principal Investigator. at Sophos. “In this analysis, Sophos focused on aspects of the code that Dridex and Entropy apparently used to make forensic analysis more difficult. These include packer code, which prevents easy static analysis of the underlying malware, a subroutine that programs use to conceal the command (API) calls they make, and a subroutine that decrypts the encrypted text strings embedded in the malware. The researchers found that the two malware’s subroutines had fundamentally similar code flow and logic.

Different attack methodology

In addition to finding similarities in the code, Sophos researchers found notable differences. During the attack on the media organization, adversaries used the ProxyShell exploit to target a vulnerable Exchange server to install a remote shell which they then used to broadcast Cobalt Strike beacons to other computers. The attackers were in the network for four months before launching Entropy in early December 2021.

During the attack on the regional government organization, the target was infected with Dridex malware via a malicious attachment. The attackers then used Dridex to spread additional malware and move laterally within the target’s network. Incident analysis shows that approximately 75 hours after the initial detection of a suspicious login attempt on a single machine, attackers began stealing data and moving it to a series of cloud providers.

Stay protected

The investigation revealed that in both cases, the attackers were able to take advantage of unpatched and vulnerable Windows systems and abuse legitimate tools. Regular security patches and active investigation of suspicious alerts by threat hunters and security operations teams will help make it harder for attackers to gain initial access to a target and deploy malicious code.

Sophos endpoint products, such as Intercept X, protect users by detecting the actions and behaviors of ransomware and other attacks, such as those described in this Sophos research.

For more information, read the article “Dridex Bots Deliver Entropy in Recent Attacks”.

Additional Resources

  • Further details on the evolving cyber threat landscape can be found in the Sophos 2022 Threat Report.
  • Tactics, techniques and procedures (TTPs) and more for different types of threats can be found at SophosLabs Uncut, which provides the latest threat intelligence from Sophos
  • Information on attacker behaviors, incident reports and guidance for security operations professionals can be found at Sophos News SecOps
  • Learn more about Sophos’s rapid response service which contains, neutralizes and investigates attacks 24/7
  • Top four tips for responding to a security incident from Sophos Rapid Response and the Managed Threat Response Team
  • Read the latest security news and opinion on Sophos’s award-winning news website Naked Security and on Sophos News

About Sophos
Sophos is a global leader in next-generation cybersecurity, protecting more than 500,000 organizations and millions of consumers in more than 150 countries against today’s most advanced cyber threats. Powered by threat intelligence, AI and machine learning from SophosLabs and SophosAI, Sophos offers a broad portfolio of advanced products and services to secure users, networks and endpoints against ransomware, malware, exploits, phishing and the wide range of other cyberattacks. Sophos provides a single integrated cloud-based management console, Sophos Central – the centerpiece of an adaptive cybersecurity ecosystem that includes a centralized data lake that leverages a rich set of open APIs available to customers, partners, developers and other cybersecurity providers. Sophos sells its products and services through channel partners and managed service providers (MSPs) worldwide. Sophos is headquartered in Oxford, UK. For more information, visit


Comments are closed.