Attack Campaign Using Emotet and TrickBot to Deliver Ryuk Ransomware

ransomware on computer

An attack campaign is using both the Emotet and TrickBot trojan families to infect unsuspecting users with Ryuk ransomware.

Cybereason’s research team observed that the campaign begins when a user receives a phishing email that comes with a weaponized Microsoft Office document as an attachment. When the user opens the document, the file asks them to enable macros. Their compliance causes the document to execute a PowerShell command that attempts to download Emotet from a malicious domain.

Some Background Info on Emotet

Active since at least 2014, the Emotet trojan is known for targeting users’ banking credentials. But its authors have outfitted Emotet with new techniques over the past few years. Those tactics have included leveraging embedded macros inside XML files disguised as Word documents to increase the likelihood of an infection, as noted by Bleeping Computer, and optimizing their spam campaigns by checking if infected IPs that receive the malicious email are already blacklisted on a spam list, as observed by Cisco Talos.

There have been even more dramatic changes, as well. Perhaps the most significant is how Emotet has acquired the ability to load additional malware, as documented in an extensive report written by Trend Micro. This same functionality informed the decision of the Cybersecurity and Infrastructure Security Agency (CISA) to label Emotet as “among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.”

Back to the Attack…

It’s therefore no wonder that Emotet behaves as a dropper in the campaign observed by Cybereason. As its researchers explain in a blog post:

When the Emotet payload executes, it looks to continue its malicious activity by further infecting and gathering information on the affected machine. It initiates the download and execution of the TrickBot trojan by communicating with and downloading from a pre-configured and remote malicious host. 

The successful installation of TrickBot marks the second phase of this sophisticated attack campaign. Once it executes on an infected machine, TrickBot creates a scheduled task and a service to achieve persistence. It then reflectively injects its malicious modules into legitimate processes such as svchost so as to avoid detection. One of these modules, module.dll, is capable of stealing data like cookies and URL hits from browsers. Another of its components, vncsrv.dll, enables the malware to actively view and control the victim’s desktop without them noticing.

For the purposes of this campaign, one of TrickBot’s most important modules is systemInfo.dll. The trojan uses this unit to collect information about the machine which its attackers can use to determine whether the computer is active in an industry of interest to them. If it is, the attackers install an additional payload and use it to move laterally within the network to assets of interest. They then leverage ping.exe and mstsc.exe (RDP) to test the connection; if the test goes well, they start to spread Ryuk ransomware throughout the network.

Emotet Everywhere

Cybereason isn’t the only security firm that’s recently spotted a surge of Emotet infections. Between 11 March and 15 March, Zix observed four Emotet attack waves using malicious .doc files, fake UPS invoices, fake personalized invoices and malicious PDFs to lure in users. The attackers likely thought they could evade detection by using these different delivery models.

But they were wrong. Despite the the attackers’ best efforts, ZixProtect blocked all of the samples by filtering out the emails based on their phrases, IPs and patterns. Some of these filters go back to as far as November of 2017.

Email security is no joke when there are campaigns such as the one described above targeting important business assets. That’s why organizations should go with a sophisticated email security solution that analyzes emails on multiple levels while allowing legitimate correspondence to make their way through.

Click here to learn how ZixProtect can do all of this.