IMPORTANT WARNING: TrickBot-Ryuk Activity Increased

10/30/2020

TrickBot malware and Ryuk ransomware activity has grown significantly over the past 48 hours. This activity has been noticed by our technology team in the AEC customer base, across several different segments. Therefore, we recommend taking this warning with the utmost seriousness.

Update 02/11/2020:

Further indicators of compromise were added, connected with, among others, the Emotet botnet. When investigating incidents at our customers’, we identified additional IOCs, which have been newly added in the table below.

You may be aware of this malicious software due to the attacks successfully executed both this and last year; TrickBot malware and Ryuk ransomware were also taking part in the attack on the Benešov Hospital last December. We have already written several times about the abovementioned attack as well as about other activities by attackers using the Emotet botnet or the malware in question [1, 2].

On Wednesday October 25, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) reported on the increased activity of this malware and the likeness of attacks on hospitals and other healthcare facilities [3]. The Czech National Cyber and Information Security Agency (NÚKIB) also warned about the increased activity of the botnet Emotet in early October [4].

The current version of the TrickBot malware is no longer just your regular banking trojan. Now, after your computer has been attacked, the attackers have the ability to steal credentials and e-mail messages, to extract cryptocurrencies, steal data from payment systems, or to download additional malware or ransomware to the infected system.

We recommend all our customers to check how up-to-date is their endpoint protection solution and to scan for vulnerabilities, since the exploitation of vulnerabilities is the way this malware spreads across the network the most often. Companies with an IOC search tool can search the managed devices for IOCs listed in the table below.

IOC type

IOC

Note

File name 12 characters (including ".exe")F.e. mfjdieks.exe
anchorDiag.txt
Location of the suspicious file in the directoryC:\Windows\
C:\Windows\SysWOW64\
C:\Users\\AppData\Roaming\
StringGlobal\fde345tyhoVGYHUJKIOuyTypically present in running memory
/anchor_dns/[COMPUTERNAME]_
[WindowsVersionBuildNo].[32CharacterString]/		Typically present in the communication to the C&C server
Planned tasks[random_folder_name_in_%APPDATA%_excluding_Microsoft]
autoupdate#[5_random_numbers]
CMD commandcmd.exe /c timeout 3 && del C:\Users\[username]\[malware_sample]
cmd.exe /C PowerShell \"Start-Sleep 3; Remove-Item C:\Users\[username]\[malware_sample_location]\"
DNSkostunivo[.]comDNS names connected with Anchor_DNS (included in the TrickBot malware)
chishir[.]com
mangoclone[.]com
onixcellent[.]com
innhanmacquanaogiare[.]com - update 2020-11-02
edgeclothingmcr[.]com - update 2020-11-02
DNSipecho[.]netDNS names used for connectivity checks
api[.]ipify[.]org
checkip[.]amazonaws[.]com
ip[.]anysrc[.]net
wtfismyip[.]com
ipinfo[.]io
icanhazip[.]com
myexternalip[.]com
IP address23[.]95[.]97[.]59C&C servers IP addresses
51[.]254[.]25[.]115
193[.]183[.]98[.]66
91[.]217[.]137[.]37
87[.]98[.]175[.]85
81[.]214[.]253[.]80 - update 2020-11-02
94[.]23[.]62[.]116 - update 2020-11-02
104[.]28[.]27[.]212 - update 2020-11-02
172[.]67[.]169[.]203 - update 2020-11-02
104[.]28[.]26[.]212 - update 2020-11-02
93[.]114[.]234[.]109 - update 2020-11-02

If you register any of the IOCs listed above or any other suspicious activity in your network, please do not hesitate to contact us directly and ask for a consultation, incident analysis or the implementation of specific security measures.

Sources:

[1]: https://aec.cz/cz/novinky/Stranky/zprava-o-bezpecnosti-v-prosinci-2019.aspx
[2]: https://www.antivirus.cz/Blog/Stranky/pozvanka-na-vanocni-vecirek-poradany-botnetem-emotet.aspx
[3]: https://us-cert.cisa.gov/ncas/alerts/aa20-302a
[4]: https://www.nukib.cz/cs/infoservis/hrozby/1638-upozorneni-na-zvysenou-aktivitu-malwaru-emotet/