FireEye is tracking a set of financially-motivated activity referred
to as TEMP.MixMaster that involves the interactive deployment of Ryuk
ransomware following TrickBot malware infections. These operations
have been active since at least December 2017, with a notable uptick
in the latter half of 2018, and have proven to be highly successful at
soliciting large ransom payments from victim organizations. In
multiple incidents, rather than relying solely on built-in TrickBot
capabilities, TEMP.MixMaster used EMPIRE and RDP connections to enable
lateral movement within victim environments. Interactive deployment of
ransomware, such as this, allows an attacker to perform valuable
reconnaissance within the victim network and identify critical systems
to maximize their href="https://www.zdnet.com/article/ransomware-suspected-in-cyberattack-that-crippled-major-us-newspapers/">disruption
to business operations, ultimately increasing the likelihood an
organization will pay the demanded ransom. These operations have
reportedly netted about href="https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/">$3.7
million in current BTC value.
Notably, while there have been numerous reports attributing Ryuk
malware to North Korea, FireEye has not found evidence of this during
our investigations. This narrative appears to be driven by href="https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/">code
similarities between Ryuk and Hermes, a ransomware that has been
used by APT38. However, these code similarities are insufficient to
conclude North Korea is behind Ryuk attacks, as the Hermes ransomware
kit was also advertised for sale in the underground community at one time.
It is important to note that TEMP.MixMaster is solely a reference to
incidents where we have seen Ryuk deployed following TrickBot
infections and that not all TrickBot infections will lead to the
deployment of Ryuk ransomware. The TrickBot administrator group, which
is suspected to be based in Eastern Europe, most likely provide the
malware to a limited number of cyber criminal actors to use in
operations. This is partially evident through its use of “gtags” that
appear to be unique campaign identifiers used to identify specific
TrickBot users. In recent incidents investigated by our Mandiant
incident response teams, there has been consistency across the gtags
appearing in the configuration files of TrickBot samples collected
from different victim networks where Ryuk was also deployed. The
uniformity of the gtags observed across these incidents appears to be
due to instances of TrickBot being propagated via the malware’s
worming module configured to use these gtag values.
Currently, we do not have definitive evidence that the entirety of
TEMP.MixMaster activity, from TrickBot distribution and operation to
Ryuk deployment, is being conducted by a common operator or group. It
is also plausible that Ryuk malware is available to multiple eCrime
actors who are also using TrickBot malware, or that at least one
TrickBot user is selling access to environments they have compromised
to a third party. The intrusion operations deploying Ryuk have also
been called href="https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/">GRIM SPIDER.
The following are a summary of tactics observed across incident
response investigations where the use of TrickBot preceded
distribution of Ryuk ransomware. Of note, due to the interactive
nature of Ryuk deployment, the TTPs leading to its execution can vary
across incidents. Furthermore, in at least one case, artifacts related
to the execution of TrickBot were collected but there was insufficient
evidence to clearly tie observed Ryuk activity to the use of TrickBot.
The initial infection vector was not confirmed in all incidents; in
one case, Mandiant identified that the attackers leveraged a
payroll-themed phishing email with an XLS attachment to deliver
TrickBot malware (Figure 1). The href="https://myonlinesecurity.co.uk/fake-deloitte-fw-payroll-schedule-delivers-trickbot/">campaign
is documented on this security site. Data from FireEye
technologies shows that this campaign was widely distributed primarily
to organizations in the United States, and across diverse industries
including government, financial services, manufacturing, service
providers, and high-tech.
Once a victim opened the attachment and enabled macros, it
downloaded and executed an instance of the TrickBot malware from a
remote server. Data obtained from FireEye technologies suggests that
although different documents may have been distributed by this
particular malicious spam run, the URLs from which the documents
attempted to retrieve a secondary payload did not vary across
attachments or recipients, despite the campaign’s broad distribution
both geographically and across industry verticals. Note that the
domain "deloitte-inv[.]com" is not a legitimate Deloitte
domain, and does not indicate any compromise of Deloitte.
From: Adam Bush Pay run |
Figure 1: Email from a phishing campaign that
downloaded TrickBot, which eventually led to Ryuk
When executed, TrickBot created scheduled tasks on compromised
systems to execute itself and ensure persistence following system
reboot. These instances of TrickBot were configured to use their
network propagation modules (sharedll and tabdll) that rely on SMB and
harvested credentials to propagate to additional systems in the
network. The number of systems to which TrickBot was propagated varied
across intrusions from fewer than ten to many hundreds.
After a foothold was established by the actors controlling TrickBot,
a period of inactivity sometimes followed. Dwell time between TrickBot
installation and Ryuk distribution varied across intrusions, but in at
least one case may have been as long as a full year. Despite this long
dwell time, the earliest reports of Ryuk malware only date back to
August 2018. It is likely that actors controlling Trickbot instances
used to maintain access to victim environments prior to the known
availability of Ryuk were monetizing this access in different ways.
Further, due to the suspected human-driven component to these
intrusion operations, we would expect to commonly see a delay between
initial infection and Ryuk deployment or other post-exploitation
activity, particularly in cases where the same initial infection
vector was used to compromise multiple organizations simultaneously.
Once activity restarted, the actors moved to interactive intrusion
by deploying Empire and/or leveraging RDP connections tunneled through
reverse-shells instead of relying on the built-in capabilities of
TrickBot to interact with the victim network. In multiple intrusions
TrickBot's reverse-shell module (NewBCtestDll) was used to execute
obfuscated PowerShell scripts which ultimately downloaded and launched
an Empire backdoor.
Post exploitation activity associated with each Ryuk incident has
varied in historical and ongoing Mandiant incident response
engagements. Given that collected evidence suggests Ryuk deployment is
managed via human-interactive post-exploitation, variation and
evolution in methodology, tools, and approach over time and across
intrusions is expected.
The following high-level steps appear common across most incidents
into which we have insight:
Some of the notable ways Ryuk deployment has varied include:
adfind.exe -f (objectcategory=person) > adfind.exe -f adfind.exe -f (objectcategory=organizationalUnit) > adfind.exe -subnets -f adfind.exe -f "(objectcategory=group)" > adfind.exe -gcb -sc trustdmp > |
Figure 2: Batch script that uses adfind.exe tool
to enumerate Active Directory objects
start PsExec.exe |
Figure 3: Line from the batch file used to copy
Ryuk executable to each system
start PsExec.exe -d |
Figure 4: Line from the batch file used to
execute Ryuk on each system
Each individual TrickBot sample beacons to its Command & Control
(C2) infrastructure with a statically defined “gtag” that is believed
to act as an identifier for distinct TrickBot customers. There has
been significant uniformity in the gtags associated with TrickBot
samples collected from the networks of victim organizations.
Throughout 2018, FireEye observed an increasing number of cases
where ransomware was deployed after the attackers gained access to the
victim organization through other methods, allowing them to traverse
the network to identify critical systems and inflict maximum damage.
href="https://www.wired.com/story/doj-indicts-hackers-samsam-ransomware/">SamSam
operations, which date back to late 2015, were arguably the first
to popularize this methodology and TEMP.MixMaster’s is an example of
its growing popularity with threat actors. FireEye Intelligence
expects that these operations will continue to gain traction
throughout 2019 due the success these intrusion operators have had in
extorting large sums from victim organizations.
It is also worth highlighting TEMP.MixMaster’s reliance on TrickBot
malware, which is more widely distributed, to gain access to victim
organizations. Following indiscriminate campaigns, threat actors can
profile victims to identify systems and users of interest and
subsequently determine potential monetization strategies to maximize
their revenue. Various malware families have incorporated capabilities
that can aid in the discovery of high-value targets underscoring the
necessity for organizations to prioritize proper remediation of all
threats, not only those that initially appear to be targeted.
The authors would like to thank Brice Daniels, Edward Li, Eric
Montellese, Sandor Nemes, Eric Scales, Brandan Schondorfer, Martin
Tremblay, Isif Ibrahima, Phillip Kealy and Steve Rasch for their
contributions to this blog post.