June 04, 2021 — 5 min read
Threat analysis: DoppelPaymer ransomware
DoppelPaymer is a successor of BitPaymer ransomware, and is part of the Dridex malware family. It’s currently being distributed in various forms, including phishing or spam emails with attached documents that are embedded with malicious code — either JavaScript or VBScript. On execution, this code downloads DoppelPaymer’s first-stage loader on the victim’s machine. The attackers then use the PowerShell Empire toolkit to run a brute-force attack on Active Directory. The Mimikatz module is used to dump passwords from the system memory.