Some of the crooks behind the Dridex Trojan have split from the gang and released a forked version of the BitPaymer ransomware dubbed DoppelPaymer.

Cybercrime gang tracked as TA505 has been active since 2014 and focusing on Retail and Banking industries. The group that is known for the distribution of the Dridex Trojan and the Locky ransomware, has released other pieces of malware including the tRat backdoor and the AndroMut downloader .

In mid-2017, the group released BitPaymer ransomware (aka FriedEx) that was used in attacks against high profile targets and organizations. The ransomware was being distributed through Remote Desktop Protocol (RDP) brute force attacks.

“CrowdStrike® Intelligence has identified a new ransomware variant identifying itself as BitPaymer. This new variant was behind a series of ransomware campaigns beginning in June 2019, including attacks against the City of Edcouch, Texas and the Chilean Ministry of Agriculture.” reads the analysis published by CrowdStrike.

“We have dubbed this new ransomware DoppelPaymer because it shares most of its code with the BitPaymer ransomware operated by INDRIK SPIDER.”

Now experts found a new variant of the ransomware tracked as DoppelPaymer. The discovery suggests that some members of TA505 gang left the group and forked the source code of both Dridex and BitPaymer to develop a new malware.

First variants of BitPaymer initially delivered a ransom note containing the ransom amount and the onion address of the payment portal. Later versions did not include the above info, instead, the variant appeared in the threat landscape since July 2018 only included two emails to negotiate the ransom and to contact to receive the instructions for the payment.

The latest variant observed by the experts in November 2018 includes the victim’s name in the ransom note, it also uses 256-bit AES in cipher block chaining (CBC) mode for encryption.

“Since the update in November 2018, INDRIK SPIDER has actively used the latest version of BitPaymer in at least 15 confirmed ransomware attacks. These attacks have continued throughout 2019, with multiple incidents occurring in June and July of 2019 alone.” continues the analysis.

According to the experts, DoppelPaymer was used for the first time in a targeted attack in June 2019. Experts detected eight distinct malware builds that was used at least in attacks against three victims.

The ransom amounts asked to the victims in the attacks were different and ranged from approximately $25,000 to $1,200,000 worth of Bitcoin.

The ransom note dropped by the DoppelPaymer ransomware doesn’t include the ransom amount, instead, it contains the onion address for a TOR-based payment portal that is identical to the original BitPaymer portal.

The authors of DoppelPaymer improved the source code of the BitPaymer.

“ numerous modifications were made to the BitPaymer source code to improve and enhance DoppelPaymer’s functionality. For instance, file encryption is now threaded, which can increase the rate at which files are encrypted.” continues the report. “The network enumeration code was updated to parse the victim system’s Address Resolution Protocol (ARP) table, retrieved with the command arp.exe -a. The resulting IP addresses of other hosts on the local network are combined with domain resolution results via nslookup.exe.”

DoppelPaymer leverages ProcessHacker, a legitimate open-source administrative utility, to terminates processes and services that may interfere with the file encryption proces s .

“Both BitPaymer and DoppelPaymer continue to be operated in parallel and new victims of both ransomware families have been identified in June and July 2019.” concludes CrowdStrike. “The parallel operations, coupled with the significant code overlap between BitPaymer and DoppelPaymer, indicate not only a fork of the BitPaymer code base, but an entirely separate operation,”

Pierluigi Paganini

(SecurityAffairs – DoppelPaymer ransomare, TA505)

Share this...

Linkedin Reddit Pinterest

Share On