Ransomware Activity Targeting the Healthcare and Public Health Sector

Threat Details

The cybercriminal enterprise behind TrickBot, which is likely also the creator of BazarLoader malware, has continued to develop new functionality and tools, increasing the ease, speed, and profitability of victimization. These threat actors increasingly use loaders—like TrickBot and BazarLoader (or BazarBackdoor)—as part of their malicious cyber campaigns. Cybercriminals disseminate TrickBot and BazarLoader via phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware. Loaders start the infection chain by distributing the payload; they deploy and execute the backdoor from the command and control (C2) server and install it on the victim’s machine.

TrickBot

What began as a banking trojan and descendant of Dyre malware, TrickBot now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk and Conti.

In early 2019, the FBI began to observe new TrickBot modules named Anchor, which cyber actors typically used in attacks targeting high-profile victims—such as large corporations. These attacks often involved data exfiltration from networks and point-of-sale devices. As part of the new Anchor toolset, TrickBot developers created anchor_dns, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling.

anchor_dns is a backdoor that allows victim machines to communicate with C2 servers over DNS to evade typical network defense products and make their malicious communications blend in with legitimate DNS traffic. anchor_dns uses a single-byte XOR cipher to encrypt its communications, which have been observed using key 0xB9. Once decrypted, the string anchor_dns can be found in the DNS request traffic.

TrickBot Indicators of Compromise

After successful execution of the malware, TrickBot copies itself as an executable file with a 12-character randomly generated file name (e.g. mfjdieks.exe) and places this file in one of the following directories.

• C:\Windows\
• C:\Windows\SysWOW64\
• C:\Users\[Username]\AppData\Roaming\

Once the executable is running and successful in establishing communication with C2s, the executable places appropriate modules downloaded from C2s for the infected processor architecture type (32 or 64 bit instruction set), to the infected host’s %APPDATA% or %PROGRAMDATA% directory, such as %AppData\Roaming\winapp. Some commonly named plugins that are created in a Modules subdirectory are (the detected architecture is appended to the module filename, e.g., importDll32 or importDll64):

• Systeminfo
• importDll
• outlookDll
• injectDll with a directory (ex. injectDLL64_configs) containing configuration files:
  • dinj
  • sinj
  • dpost
• mailsearcher with a directory (ex. mailsearcher64_configs) containing configuration file:
  • mailconf
• networkDll with a directory (ex. networkDll64_configs) containing configuration file:
  • dpost
• wormDll
• tabDll
• shareDll

Filename client_id or data or FAQ with the assigned bot ID of the compromised system is created in the malware directory. Filename group_tag or Readme.md containing the TrickBot campaign IDs is created in the malware directory.

The malware may also drop a file named anchorDiag.txt in one of the directories listed above.

Read more