Cybereason researchers discovered a malware campaign in which attackers combined the Emotet and TrickBot banking Trojans to deliver the Ryuk ransomware.
The malware campaign, dubbed “triple threat,” also uses TrickBot to perform lateral movement and employs detection evasion methods, like attempts to disable Windows Defender, Cybereason’s active monitoring and hunting teams found.
According to researchers, the campaign is targeting companies in both Europe and the U.S.
“The most interesting thing about this campaign is how it combined Emotet, TrickBot and Ryuk together,” said Lior Rochberger, security analyst at Cybereason. “Emotet is very common. But the way attackers abused this and took advantage of this malware in order to deliver another malware and, in the end, deliver the [Ryuk] ransomware to maximize the damage is something that is very unique.”
The first phase of the malware campaign begins with a phishing email, in which a weaponized Microsoft Office document containing malicious macro-based code is delivered to the user. Once the user opens the document, the malicious file runs and executes a PowerShell command.
The PowerShell command then attempts to download the Emotet payload from different malicious domains.
Once the Emotet payload executes, it continues infecting and gathering information on the affected machine, Cybereason researchers explained in a blog post.
In the second phase of the attack, it initiates the download and execution of the TrickBot Trojan by communicating a remote host. Once TrickBot infects the machine, it begins to steal sensitive information, like administrator credentials.
It is TrickBot’s modular structure, researchers said, that allows it to add new functionalities outside of collecting banking data, such as collecting passwords and evading detection.
TrickBot’s modules are injected into legitimate processes in order to evade detection. Its modules include spreader_x64.dll, which spreads TrickBot by exploiting EternalBlue, which takes advantage of a flaw in Windows’ Server Message Block (SMB) protocol.
Upon execution, TrickBot also tries to disable and delete Windows Defender to evade detection by antimalware products, researchers found.
In the final phase of the attack, the attackers check to see if the target machine is part of an industry they want to target. If it is, they download the Ryuk ransomware payload and use the admin credentials stolen using TrickBot to perform lateral movement and reach the assets they wish to infect, researchers said.
Lior RochbergerSecurity analyst at Cybereason
“After the phase of the lateral movement, the reconnaissance activity, the credential theft and information stealing, then it basically delivers the Ryuk ransomware, which encrypts the files,” Rochberger said. “Ryuk injects the malicious payload into legitimate processes, and then it encrypts and ransoms the files. TrickBot also uses this technique to inject its malicious modules — DLLs [dynamic link libraries] — into legitimate processes. Due to this technique, normal and old-fashioned antivirus that is signature-based is not effective.”
But Rochberger said she believes this malware campaign doesn’t necessarily mean cybercriminal groups are joining forces to carry out attacks.
“We do see that different cybercriminal groups are using the same techniques or the same tools as other groups are using,” she said. “For example, the Ryuk itself was used by the Lazarus Group, but it doesn’t necessarily mean that this campaign was by the Lazarus Group. We know that the Ryuk code was on sale on the internet, so other threat actors may have used this code, as well, for their malicious activity.”
But given that the attackers are using malware like Emotet to spread the attack as an initial infection, Rochberger advised companies to be aware of how threat actors can take advantage of existing malware for new attacks and campaigns.
Researchers advised companies to employ threat hunting for detecting such malware campaigns and also be up to date with implementing patches, especially for the Windows SMB v1 vulnerability, to prevent the propagation of TrickBot and other malware.