Actor Profile: DEV-0243 – from FakeUpdates to Ransomware

Executive summary

The threat actor that Microsoft tracks as DEV-0243, which overlaps with activity tracked by the cyber intelligence industry as EvilCorp , is a Russia-based cybercriminal group that’s been active since June 2014. It was also notorious for one of its earliest malware campaigns – the Dridex banking trojan.  DEV-0243 is also one of the first groups to be sanctioned by Office of Foreign Assets Control (OFAC) in 2019. The actor is known for constantly rebranding their malware and shifting tactics to avoid attribution and disassociate themselves from said sanctions.

DEV-0243’s latest tactics rely on a partnership with DEV-0206, an access broker that facilitates access to target networks. DEV-0243 has been observed targeting organizations across a diverse array of industries with methods such as drive-by download, including malvertising and FakeUpdates (also known as SocGholish) infections facilitated by DEV-0206 to obtain initial access to ultimately deploy ransomware. The actor also uses domain fronting to establish command-and-control channel for Cobalt Strike beacons. As of November 2022, DEV-0243 continues to leverage FakeUpdates for initial compromise, followed by BLISTER loader to deliver Cobalt Strike beacons which are used for lateral movement and ransomware deployment.

Microsoft 365 Defender detects DEV-0243 activity with the alert Ransomware-linked emerging threat activity group DEV-0243 detected. Granting minimal user privileges and using SmartScreen and Safe Links, network protection, and other capabilities in Microsoft 365 Defender can significantly limit the impact of these attacks on your network.

For further recommendations on developing a holistic security strategy to prevent pre-ransom impact, refer to the guidance in our Ransomware as a service blog.

Please click on this link to read the full article:

Actor Profile: DEV-0243 – from FakeUpdates to Ransomware
Scroll to top