Author: Jeremy Ware and Darby Wise<\/p>\n
TLP:WHITE<\/p>\n
On 28 October, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) published a joint advisory on threat actors targeting the Healthcare and Public Health (HPH) sector.1<\/sup> This report details the threat actors\u2019 use of Trickbot and BazarLoader malware to distribute ransomware, steal sensitive data, and attempt to interfere with healthcare services.<\/p>\n BazarLoader and Trickbot are two malware loaders that threat actors tend to distribute via phishing campaigns. In these attacks targeting U.S. hospitals and healthcare providers, threat actors used these loaders to distribute follow-on malware including Ryuk and Conti ransomware.<\/p>\n The report also details a new malware tool from the Trickbot developers called anchor_dns. This tool is a part of Anchor, a Trickbot module first observed in 2019, when it was used against large corporations and other high-profile organizations. Threat actors use anchor_dns to send and receive sensitive data from the victim\u2019s machine via Domain Name System (DNS) tunneling.<\/p>\n The joint report included a list of indicators of compromise (IOCs) associated with Trickbot, anchor_dns and BazarLoader, many of which Infoblox has incorporated into its security products since April of this year. We included the full list of indicators at the end of this report, along with additional IOCs we were able to find in our own research.<\/p>\n Trickbot is a banking trojan that was first discovered in 2016. Threat actors primarily distribute it through malspam campaigns, or as a secondary payload to other malware such as Emotet. Since its initial discovery, Trickbot has evolved to include a full suite of tools to harvest credentials, deploy cryptominers or ransomware, and exfiltrate a multitude of data types. For a detailed analysis of Trickbot\u2019s attack chain, see the joint advisory or one of Infoblox\u2019s previous reports on this malware.2,3<\/sup><\/p>\n Anchor_dns is a backdoor tool created by the Trickbot developers as part of the toolset module named Anchor.4<\/sup> With anchor_dns, threat actors communicate between the victim’s machine and the command and control (C&C) servers via DNS tunneling to mimic legitimate traffic and thereby evade detection. Anchor_dns is also known to use an \u2018exclusive or\u2019 (XOR) cipher for encryption with the key 0xB9.<\/em><\/p>\n BazarLoader and BazarBackdoor are believed to have been created by the threat actors behind Trickbot and were first observed in early 2020. They work together to infect the victim\u2019s machine, communicate with the C&Cs, and according to the alert have become increasingly popular means of deploying ransomware. In the attack against the HPH sector, they downloaded Ryuk and Conti ransomware.<\/p>\n Threat actors have distributed BazarLoader two ways: first, via phishing emails that carry malicious attachments; second, via links directing users to malicious DOC or PDF file on a legitimate document hosting site such as Google Drive.5<\/sup> Once the user downloads the file, BazarLoader drops the payload for BazarBackdoor, which the threat actor then uses to exploit the host machine and network.<\/p>\n Threat actors often distribute Ryuk ransomware as a follow-on payload from banking trojans such as Trickbot or Emotet. Ryuk is a derivative of Hermes,6<\/sup> a ransomware variant that injects malicious dynamic-link library (DLL) files into the memory of the victim\u2019s machine, and then spreads laterally across a victim\u2019s network. Once the Ryuk payload is dropped, it uses Advanced Encryption Standard (AES)-256 keys to encrypt the victim\u2019s files. The ransomware then drops a RyukReadMe<\/em> file on the victim\u2019s machine instructing them to contact a provided Protonmail-encrypted email address for further instructions on the ransom amount and specific Bitcoin wallet to which the victim must submit their payment. Infoblox has previously written on Ryuk, providing an in-depth analysis on its distribution, attack chain, etc. For a more detailed attack chain, refer to the joint advisory or our previous report on Ryuk.7<\/sup><\/p>\n CISA, FBI and HHS provide a set of recommendations to prevent or mitigate the effects of these kinds of cyberattacks. We include some below but a more extensive list, including preventative measures against specific ransomware, can be found in the joint report.<\/p>\n Network best practices:<\/p>\n Ransomware mitigation best practices:<\/p>\n2.\u00a0 Analysis<\/h3>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2.1.\u00a0 Trickbot and Anchor_dns<\/h4>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2.2.\u00a0 BazarLoader and BazarBackdoor<\/h4>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2.3.\u00a0 Ryuk Ransomware<\/h4>\n
3.\u00a0 Prevention and Mitigation<\/h3>\n
\n
\n
4.\u00a0 Indicators of Compromise<\/h3>\n