Saturday, June 22, 2024

A Scary Evolution & Alliance of TrickBot, Emotet and Ryuk Ransomware Attack

Ryuk first appeared in August 2018, and while not incredibly active across the globe, at least three organizations were hit with Ryuk infections over the course of the first two months of its operations, landing the attackers about $640,000 in ransom for their efforts.

According to CrowdStrike analysis from late last week, Grim Spider has specialized in going after big game with Ryuk –   targeting large organizations for a high-ransom return. Lately, it’s also been using TrickBot and Emotet malware in its attack chain – a state of affairs that raises hypotheses around Grim Spider attribution.

GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return.

This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell.

The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.

The analysis shows that Ryuk is a result of the custom development of an older commodity malware known as Hermes, believed to have been authored by North Korea’s Stardust Chollima (a.k.a. APT38, believed to be a revenue-generating offshoot of the well-known APT Lazarus Group).

Hermes first gained publicity in October 2017 when it was used as part of a sophisticated SWIFT attack against the Far Eastern International Bank (FEIB) in Taiwan.

FireEye is calling this type of access TEMP.MixMaster, which refers to any incidents that they have seen where Ryuk is installed following a TrickBot infection.

What is the nexus between Emotet, Trickbot, and Ryuk?

Machines infected with Emotet periodically check for modules from a command and control server (C2). These modules are typically DLLs or EXEs which are loaded on an infected system for extending capabilities.

Additionally, some modules such as Trickbot may receive further payloads, encoded in a C2 command, leading to the decoding and running of an EXE of the actor’s choice, like Ryuk.

Our tracking shows that the actors behind Emotet regularly drop malware executables composed of Trickbot and IcedID, among others.

The Trickbot and IcedID payloads are observed to be dropped directly via the module loader. However, with the Ryuk ransomware module,  it follows a different control-flow path.

Ryuk infections are seldom, if ever, dropped directly by Emotet. When the Ryuk module is delivered to a victim, it is done transiently through a Trickbot infection and other tools, not the original Emotet bot.

Infection method:

According to Checkpoint and multiple other analysts and researchers, Ryuk is spread as a secondary payload through botnets, such as TrickBot and Emotet.

Here is the running theory: Emotet makes the initial infection on the endpoint. It has its own abilities to spread laterally throughout the network, as well as launch its own MalSpam campaign from the infected endpoint, sending additional malware to other users on the same or different networks.

From there, the most common payload that we have seen Emotet drop over the last six months has been TrickBot. This malware has the capability to steal credentials, and also to move around the network laterally and spread in other ways.

Both TrickBot and Emotet have been used as information stealers, downloaders, and even worms based on their most recent functionality.

At some point, for reasons we will explore later in this post, TrickBot will download  and drop Ryuk ransomware on the system, assuming that the infected network is something that the attackers want to ransom.

Network Movements:

  • An obfuscated PowerShell script is executed and connects to a remote IP address.
  • A reverse shell is downloaded and executed on the compromised host.
  • PowerShell anti-logging scripts are executed on the host.
  • Reconnaissance of the network is conducted using standard Windows command line tools along with external uploaded tools.
  • Lateral movement throughout the network is enabled using Remote Desktop Protocol (RDP).
  • Service User Accounts are created.
  • PowerShell Empire is downloaded and installed as a service.
  • Lateral movement is continued until privileges are recovered to obtain access to a domain controller.
  • PSEXEC is used to push out the Ryuk binary to individual hosts.
  • Batch scripts are executed to terminate processes/services and remove backups, followed by the Ryuk binary.

IOC’s and VT reference:

Attribution Still Unclear – CrowdStrike

Still unsure, North Korean APT or the Crimeware Annoying Persistent Threat?

“Currently, none do not have definitive evidence that the entirety of MixMaster activity, from TrickBot distribution and operation to Ryuk deployment, is being conducted by a common operator or group,” the analysts said. “The TrickBot administrator group, which is suspected to be based in Eastern Europe, most likely provide the malware to a limited number of cyber-criminal actors to use in operations.”

They added, “It is also plausible that Ryuk malware is available to multiple eCrime actors who are also using TrickBot malware, or that at least one TrickBot user is selling access to environments they have compromised to a third party.”


You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.


Latest articles

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from for...

Beware Of Illegal OTT Platforms That Exposes Sensitive Personal Information

A recent rise in data breaches from illegal Chinese OTT platforms exposes that user...

Beware Of Zergeca Botnet with Advanced Scanning & Persistence Features

A new botnet named Zergeca has emerged, showcasing advanced capabilities that set it apart...

Mailcow Mail Server Vulnerability Let Attackers Execute Remote Code

Two critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) affecting Mailcow versions before 2024-04 allow attackers to...

Hackers Attacking Vaults, Buckets, And Secrets To Steal Data

Hackers target vaults, buckets, and secrets to access some of the most classified and...

Hackers Weaponizing Windows Shortcut Files for Phishing

LNK files, a shortcut file type in Windows OS, provide easy access to programs,...

New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document

Researchers discovered a new malware loader named SquidLoader targeting Chinese organizations, which arrives as...

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles