A One-two Punch of Emotet, TrickBot, & Ryuk Stealing & Ransoming Data

A One-two Punch of Emotet, TrickBot, & Ryuk Stealing & Ransoming Data

Notable Elements of the Attack

  • This campaign adapts Emotet as a dropper for the TrickBot trojan. TrickBot then steals sensitive information and downloads the Ryuk ransomware.
  • This research gives unique detail to each phase of the campaign, from Emotet’s use as an infrastructure to deliver TrickBot, to TrickBot’s information stealing capabilities, lateral movement, and use as a downloader for Ryuk, and finally to Ryuk’s ransomware capabilities.
  • As a modular trojan, TrickBot is evolving all the time. In past research, it has been used to download the Ryuk ransomware. In this campaign, it is used to deliver a one-two punch to the victim. Not only does it steal personal data and credentials including passwords, mail files, browser data, registry keys, and more, but it also downloads Ryuk, which encrypts their machine and ransoms their data for payment.
  • This campaign targets companies in Europe and the USA, and signals a change in trend for Emotet and TrickBot, which are both well-known trojans.
  • In this attack, Emotet is used as a dropper for the TrickBot trojan instead of performing its own malicious activities as a trojan.
  • TrickBot has evolved to include advanced capabilities like password collecting, detection evasion, the launching of an Empire PowerShell backdoor, and the ability to download the Ryuk ransomware. In addition, it has a module that allows an attacker to remotely view and control a victims desktop.
  • This campaign used many advanced persistence, lateral movement, and detection evasion measures, including attempts to disable Windows Defender, the use of EternalBlue to spread, and the stopping of multiple services and processes related to anti malware products.
  • Full research on the Emotet-TrickBot-Ryuk campaign can be found here <>.

The Triple Threat Campaign

Emotet was first discovered in 2014 as a trojan used to steal banking credentials. More recently, it has been used as a dropper of other trojans. It has introduced several advanced capabilities over the years due to its modular structure, including an installation module, banking module, and DDoS module. Emotet is mainly distributed through phishing emails using various social engineering techniques.

Article Link: https://www.cybereason.com/blog/one-two-punch-emotet-trickbot-and-ryuk-steal-then-ransom-data