Indrik Spider | APT Profile

Description

[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://attack.mitre.org/software/S0570), [WastedLocker](https://attack.mitre.org/software/S0612), and Hades ransomware. Following U.S. sanctions and an indictment in 2019, [Indrik Spider](https://attack.mitre.org/groups/G0119) changed their tactics and diversified their toolset.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)

Techniques Used (TTPs)

T1003.001 — LSASS Memory (credential-access)
T1587.001 — Malware (resource-development)
T1136 — Create Account (persistence)
T1112 — Modify Registry (defense-evasion, persistence)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
T1007 — System Service Discovery (discovery)
T1583 — Acquire Infrastructure (resource-development)
T1070.001 — Clear Windows Event Logs (defense-evasion)
T1562.001 — Disable or Modify Tools (defense-evasion)
T1074.001 — Local Data Staging (collection)
T1021.001 — Remote Desktop Protocol (lateral-movement)
T1555.005 — Password Managers (credential-access)
T1590 — Gather Victim Network Information (reconnaissance)
T1059.001 — PowerShell (execution)
T1078.002 — Domain Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1552.001 — Credentials In Files (credential-access)
T1567.002 — Exfiltration to Cloud Storage (exfiltration)
T1059.003 — Windows Command Shell (execution)
T1484.001 — Group Policy Modification (defense-evasion, privilege-escalation)
T1047 — Windows Management Instrumentation (execution)
T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1486 — Data Encrypted for Impact (impact)
T1136.001 — Local Account (persistence)
T1018 — Remote System Discovery (discovery)
T1059.007 — JavaScript (execution)
T1585.002 — Email Accounts (resource-development)
T1105 — Ingress Tool Transfer (command-and-control)
T1489 — Service Stop (impact)
T1012 — Query Registry (discovery)
T1558.003 — Kerberoasting (credential-access)
T1204.002 — Malicious File (execution)
T1021.004 — SSH (lateral-movement)
T1584.004 — Server (resource-development)

Total TTPs: 33

Malware & Tools

Malware: BitPaymer, Cobalt Strike, Dridex, WastedLocker

Tools: Donut, Empire, Mimikatz, PsExec

← Return to Home ← Back to APT Search