#1243086: A Nasty Trick: From Credential Theft Malware to Business Disruption
FireEye is tracking a set of financially-motivated activity referred to as TEMP.MixMaster that involves the interactive deployment of Ryuk ransomware following TrickBot malware infections. These operations have been active since at least December 2017, with a notable uptick in the latter half of 2018, and have proven to be highly successful at soliciting large ransom payments from victim organizations. In multiple incidents, rather than relying solely on built-in TrickBot capabilities, TEMP.MixMaster used EMPIRE and RDP connections to enable lateral movement within victim environments. Interactive deployment of ransomware, such as this, allows an attacker to perform valuable reconnaissance within the victim network and identify critical systems to maximize their disruption to business operations, ultimately increasing the likelihood an organization will pay the demanded ransom. These operations have reportedly netted about $3.7 million in current BTC value.
Notably, while there have been numerous reports attributing Ryuk malware to North Korea, FireEye has not found evidence of this during our investigations. This narrative appears to be driven by code similarities between Ryuk and Hermes, a ransomware that has been used by APT38. However, these code similarities are insufficient to conclude North Korea is behind Ryuk attacks, as the Hermes ransomware kit was also advertised for sale in the underground community at one time.
It is important to note that TEMP.MixMaster is solely a reference to incidents where we have seen Ryuk deployed following TrickBot infections and that not all TrickBot infections will lead to the deployment of Ryuk ransomware. The TrickBot administrator group, which is suspected to be based in Eastern Europe, most likely provide the malware to a limited number of cyber criminal actors to use in operations. This is partially evident through its use of “gtags” that appear to be unique campaign identifiers used to identify specific TrickBot users. In recent incidents investigated by our Mandiant incident response teams, there has been consistency across the gtags appearing in the configuration files of TrickBot samples collected from different victim networks where Ryuk was also deployed. The uniformity of the gtags observed across these incidents appears to be due to instances of TrickBot being propagated via the malware’s worming module configured to use these gtag values.
Currently, we do not have definitive evidence that the entirety of TEMP.MixMaster activity, from TrickBot distribution and operation to Ryuk deployment, is being conducted by a common operator or group. It is also plausible that Ryuk malware is available to multiple eCrime actors who are also using TrickBot malware, or that at least one TrickBot user is selling access to environments they have compromised to a third party. The intrusion operations deploying Ryuk have also been called GRIM SPIDER.
TrickBot Infection Leading to Ryuk Deployment
The following are a summary of tactics observed across incident response investigations where the use of TrickBot preceded distribution of Ryuk ransomware. Of note, due to the interactive nature of Ryuk deployment, the TTPs leading to its execution can vary across incidents. Furthermore, in at least one case artifacts related to the execution of TrickBot were collected but there was insufficient evidence to clearly tie observed Ryuk activity to the use of TrickBot.
The initial infection vector was not confirmed in all incidents; in one case, Mandiant identified that the attackers leveraged a payroll-themed phishing email with an XLS attachment to deliver TrickBot malware (Figure 1). The campaign is documented on this security site. Data from FireEye technologies shows that this campaign was widely distributed primarily to organizations in the United States, and across diverse industries including government, financial services, manufacturing, service providers, and high-tech.
Once a victim opened the attachment and enabled macros, it downloaded and executed an instance of the TrickBot malware from a remote server. Data obtained from FireEye technologies suggests that although different documents may have been distributed by this particular malicious spam run, the URLs from which the documents attempted to retrieve a secondary payload did not vary across attachments or recipients, despite the campaign’s broad distribution both geographically and across industry verticals. Note that the domain "deloitte-inv[.]com" is not a legitimate Deloitte domain, and does not indicate any compromise of Deloitte.
Persistence and Lateral Movement
When executed, TrickBot created scheduled tasks on compromised systems to execute itself and ensure persistence following system reboot. These instances of TrickBot were configured to use their network propagation modules (sharedll and tabdll) that rely on SMB and harvested credentials to propagate to additional systems in the network. The number of systems to which TrickBot was propagated varied across intrusions from fewer than ten to many hundreds.
Dwell Time and Post-Exploitation Activity
After a foothold was established by the actors controlling TrickBot, a period of inactivity sometimes followed. Dwell time between TrickBot installation and Ryuk distribution varied across intrusions, but in at least one case may have been as long as a full year. Despite this long dwell time, the earliest reports of Ryuk malware only date back to August 2018. It is likely that actors controlling Trickbot instances used to maintain access to victim environments prior to the known availability of Ryuk were monetizing this access in different ways. Further, due to the suspected human-driven component to these intrusion operations, we would expect to commonly see a delay between initial infection and Ryuk deployment or other post-exploitation activity, particularly in cases where the same initial infection vector was used to compromise multiple organizations simultaneously.
Once activity restarted, the actors moved to interactive intrusion by deploying Empire and/or leveraging RDP connections tunneled through reverse-shells instead of relying on the built-in capabilities of TrickBot to interact with the victim network. In multiple intrusions TrickBot's reverse-shell module (NewBCtestDll) was used to execute obfuscated PowerShell scripts which ultimately downloaded and launched an Empire backdoor.
Variations in Ryuk Deployment Across Engagements
Post exploitation activity associated with each Ryuk incident has varied in historical and ongoing Mandiant incident response engagements. Given that collected evidence suggests Ryuk deployment is managed via human-interactive post-exploitation, variation and evolution in methodology, tools, and approach over time and across intrusions is expected.
The following high-level steps appear common across most incidents into which we have insight:
Actors produce a list of targets systems and save it to one or multiple .txt files.
Actors move a copy of PsExec, an instance of Ryuk, and one or more batch scripts to one or more domain controllers or other high privilege systems within the victim environment.
Actors run batch scripts to copy a Ryuk sample to each host contained in .txt files and ultimately execute them.
Some of the notable ways Ryuk deployment has varied include:
In one case, there was evidence suggesting that actors enumerated hosts on the victim network to identify targets for encryption with Ryuk, but in multiple other cases these lists were manually copied to the server that was then used for Ryuk distribution without clear evidence available for how they were produced.
There have been multiple cases where TrickBot was deployed broadly across victim environments rather than being used to maintain a foothold on a small number of hosts.
We have not identified evidence that Empire was used by the attackers in all cases and sometimes Empire was used to access the victim environment only after Ryuk encryption had started.
In one case, the attackers used a variant of Ryuk with slightly different capabilities accompanied by a standalone .bat script containing most of the same taskkill, net, and sc commands normally used by Ryuk to terminate processes and stop services related to anti-virus, backup, and database software.
Example of Ryuk Deployment – Q3 2018
Using previously stolen credentials the attacker logged into a domain controller and copied tools into the %TEMP% directory. Copied tools included AdFind.exe (Active Directory enumeration utility), a batch script (Figure 2), and a copy of the 7-Zip archive utility.
Downloaded utilities were copied to C:\Windows\SysWOW64\.
The attacker performed host and network reconnaissance using built-in Windows commands.
AdFind.exe was executed using the previously noted batch script, which was crafted to pass the utility a series of commands that were used to collect information about Active Directory users, systems, OUs, subnets, groups, and trust objects. The output from each command was saved to an individual text file alongside the AdFind.exe utility (Figure 2).
This process was performed twice on the same domain controller, 10 hours apart. Between executions of Adfind the attacker tested access to multiple domain controllers in the victim environment, including the one later used to deploy Ryuk.
The attacker logged into a domain controller and copied instances of PSExec.exe, a batch script used to kill processes and stop services, and an instance of Ryuk onto the system.
Using PsExec the attacker copied the process/service killing batch script to the %TEMP% folder on hundreds of computers across the victim environment, from which it was then executed.
|Date added||Jan. 11, 2019, 6:06 a.m.|