![]() ![]() Going by the timestamps, we can guess the time period of 2 weeks for dwell time from TrickBot -> Pivot and Profile -> Ryuk.Initially employed as a bank Trojan, Trickbot is now one of the most powerful tools available to cybercriminals who can gain remote access to infected machines to deliver their own malware, including ransomware. Image9: Machine directory listingĮventually leading to Ryuk ransomware: Image10: Ryuk upload and detonate Image11: Ryuk detonated via PsExec Image8: Interactive LogonĮach machine gets profiled out. Image7: PowerShell leveraged for enumerationĭuring this time, other machines in the same domain are pivoted to. The actors load in PowerView.ps1 PowerShell script from PowerSploit and begin leveraging the PowerShell script to find where else they can pivot to. They also check the members of the Domain Admin group: Image5: Domain admin checkedĪnd dump the hashes: Image6: hashdump issued Next, they begin looking for live hosts and port scanning for particular open ports. Image3: Initial tasks executed after check in Once the actors decide to take a look at the infection using Cobalt Strike, they issue a task to run the Cobalt Strike-ToolKits DACheck script, impersonate SYSTEM and run Mimikatz. The actor initially makes a note of this infection: Image2: Operator adds note We can correlate timestamps from the Cobalt Strike logs to campaign data when TrickBot utilized the folder name. In the later part of 2019, TrickBot conducted campaigns using the CloudApp folder. Or in other words, they initiate the valuation phase. At this point, actors will jump in and begin the process of mapping out the network and determining what the next course of action will be. ![]() TrickBot modules collect large amounts of data on the infected systems and attempt to pivot to the domain controller. This specific server comes into play in the post-Initial Access phase, which is handled by TrickBot. The actor leverages a myriad of open source scripts and tools to gather information and pivot to other systems from existing TrickBot infections. The server is clearly utilized for further profiling the networks and systems. ![]() While the log data is only for 3 sessions, data such as this can prove to be invaluable for defenders through showcasing actions on objectives and attack TTPs from real life scenarios. The effort paid off as surprisingly some old attack data from the server containing roughly three sessions (-) appeared recently. Typically, the domains are monitored for some time via VirusTotal in an effort to further any understanding of the IOC in question. Previously, in our PowerTrick reporting, we mentioned an IOC ‘wizardmagikbest’ (95.179.214127). PowerTrick custom PowerShell framework for high profile victims.Anchor project’s connection of CyberCrime and APT.This report aims to expand upon SentinelLabs earlier reports involving TrickBot: Much like a company whose target will shift depending on what generates the best revenue. This focus shift is prevalent in their tertiary deliveries that target enterprise environments. Incorporating everything from network profiling, mass data collection and lateral traversal exploits. TrickBot has since shifted focus to enterprise environments over the years. ![]() TrickBot is the successor of Dyre which at first was primarily focused on banking fraud, even reusing the same web-injection systems utilized by Dyre. We review the Cobalt Strike portion of the server and how the actors were leveraging it against multiple targets.Trickbot operators utilized PowerTrick and Cobalt Strike to deploy their Anchor backdoor and RYUK ransomware.Research by Joshua Platt and Jason Reaves Executive Summary ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |