November 24, 2024

The threat cluster dubbed UNC2165, which shares numerous overlaps with a Russia-based cybercrime group known as Evil Corp, has been linked to multiple LockBit ransomware intrusions in an attempt to get around sanctions imposed by the U.S. Treasury in December 2019.

“These actors have shifted away from using exclusive ransomware variants to LockBit — a well-known ransomware as a service (RaaS) — in their operations, likely to hinder attribution efforts in order to evade sanctions,” threat intelligence firm Mandiant noted in an analysis last week.

Active since 2019, UNC2165 is known to obtain initial access to victim networks via stolen credentials and a JavaScript-based downloader malware called FakeUpdates (aka SocGholish), leveraging it to previously deploy Hades ransomware.

Hades is the work of a financially motivated hacking group named Evil Corp, which is also called by the monikers Gold Drake and Indrik Spider and has been attributed to the infamous Dridex (aka Bugat) trojan as well as other ransomware strains such as BitPaymer, DoppelPaymer, and WastedLocker over the past five years.

UNC2165’s pivot from Hades to LockBit as a sanctions-dodging tactic is said to have occurred in early 2021.

Interestingly, FakeUpdates has also, in the past, served as the initial infection vector for distributing Dridex that then was used as a conduit to drop BitPaymer and DoppelPaymer onto compromised systems.

Mandiant said it noted further similarities between UNC2165 and an Evil Corp-connected cyber espionage activity tracked by Swiss cybersecurity firm PRODAFT under the name SilverFish aimed at government entities and Fortune 500 companies in the E.U and the U.S.

A successful initial compromise is followed by a string of actions as part of the attack lifecycle, including privilege escalation, internal reconnaissance, lateral movement, and maintaining long-term remote access, before delivering the ransomware payloads.

With sanctions used as a means to rein in ransomware attacks, in turn barring victims from negotiating with the threat actors, adding a ransomware group to a sanctions list — without naming the individuals behind it — has also been complicated by the fact that cybercriminal syndicates often tend to shutter, regroup, and rebrand under a different name to circumvent law enforcement.

“The adoption of an existing ransomware is a natural evolution for UNC2165 to attempt to obscure their affiliation with Evil Corp,” Mandiant said, while also ensuring that sanctions are “not a limiting factor to receiving payments from victims.”

“Using this RaaS would allow UNC2165 to blend in with other affiliates, the company added, stating, “it is plausible that the actors behind UNC2165 operations will continue to take additional steps to distance themselves from the Evil Corp name.”

The findings from Mandiant, which is in the process of being acquired by Google, are particularly significant as the LockBit ransomware gang has since alleged that it had breached into the company’s network and stole sensitive data.

The group, beyond threatening to release “all available data” on its data leak portal, didn’t specify the exact nature of the contents in those files. However, Mandiant said there is no evidence to support the claim.

“Mandiant has reviewed the data disclosed in the initial LockBit release,” the company told The Hacker News. “Based on the data that has been released, there are no indications that Mandiant data has been disclosed but rather the actor appears to be trying to disprove Mandiant’s June 2, 2022 research on UNC2165 and LockBit.”