Scribd
Upload
44 views22 pages

Lessons From The Lab: An Expert Guide To Trickbot, Darkside & Other Malware of 2021

The document discusses malware trends in 2021 and techniques used by Trickbot, Darkside, and Emotet ransomware. It outlines their attack chains, which commonly involve using legitimate tools like PowerShell and WMI to gain initial access and privileges before deploying payloads. The summary also discusses how understanding these techniques can help prevent attacks and the role of endpoint privilege management solutions.

Uploaded by

Yose Martin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
44 views22 pages

Lessons From The Lab: An Expert Guide To Trickbot, Darkside & Other Malware of 2021

The document discusses malware trends in 2021 and techniques used by Trickbot, Darkside, and Emotet ransomware. It outlines their attack chains, which commonly involve using legitimate tools like PowerShell and WMI to gain initial access and privileges before deploying payloads. The summary also discusses how understanding these techniques can help prevent attacks and the role of endpoint privilege management solutions.

Uploaded by

Yose Martin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Lessons from the Lab:

An Expert Guide to
Trickbot, DarkSide &
Other Malware of 2021

©BeyondTrust 2021 | 1
Presented By:

James Maude Paul Davies


Lead Cyber Security Researcher Sr. Solutions Architect

©BeyondTrust 2021 | 2
Agenda
• Where are we now in the evolution of malware/ransomware?
• How do attacks succeed?
• How understanding the techniques helps us prevent attacks?
• What part Endpoint Privilege Management (EPM) solutions play
• How do we make prevention achievable?

APT = Average Preventable Threat?

©BeyondTrust 2021 | 3
News Stories

©BeyondTrust 2021 | 4
The Evolution of Ransomware
Archievus Reveton Cryptolocker Wannacry REvil Darkside

2005 2012 2013 2017 2019 2021

Basic Ransomware – Automated Single Endpoint

Business Ransomware – Automated Single Endpoint


Enterprise Ransomware – Automated Multiple Endpoints
Tailored Ransomware – Manually
Orchestrated

Single Threat Single Threat Multiple Threats


Static Dynamic Highly Dynamic
Limited Privileges Exploited Privileges Extensive Privileges

©BeyondTrust 2021 | 5
MITRE ATT&CK® is a globally-accessible
knowledge base of adversary tactics and
techniques based on real-world
observations.

"Although 82% of respondents


know about ATT&CK, only 8%
are using ATT&CK regularly.“
- The State of MITRE ATT&CK® Threat-Informed Defence
2021

©BeyondTrust 2021 | 6
Trickbot / Ryuk – Attack Chain
T1566 - Phishing Initial Access – Trickbot via phishing email

T1548.002 – UAC Bypass Execution & Local Elevation - Cobalt Strike or PowerShell Empire

T1134 – Access Token Manipulation


Credential Access – Using LaZange, Mimikatz or other tools
T1003/T1003.001 – Credential Dumping

T1055 – Process Injection Privilege Escalation – Control over Valid Admin Accounts

T1053 – Scheduled Task/Job


Persistence – New Domain Admin (DA) Accounts
T1078 – Valid Accounts: Domain Accounts

T1087 – Account Discovery


Discovery – Recon and enumeration using Bloodhound
T1033 – System Owner/User Discovery

T1035 – Service Execution Lateral Movement – PsExec or other tools

T1562 – Impair Defenses Defense Evasion – Tampering with A/V & security services

T1086 – Data Encrypt for Impact Impact – Invoke Ryuk ransomware payload

©BeyondTrust 2021 | 7
Prevention is Better
Than the Cure

©BeyondTrust 2021 | 8
Mitigations
“Start byagainst attack
taking care techniques:
of the basics: build a solid
M1026 - Privileged
cybersecurity AccountbyManagement
foundation implementing the [CIS
M1018 - User
Controls], Accountapplication
especially Management white-listing (sic),
M1052standard secure configuration,
- User Account Control reduction of
administrative
M1038 privileges
- Execution and a quick patching process.”
Prevention

Zurich Insurance Group


Risk Nexus: Overcome by cyber risks?
Economic benefits and costs of
alternative cyber futures
Switzerland

©BeyondTrust 2021 | 9
Level Up Defenses

©BeyondTrust 2021 | 10
Level Up Defences

©BeyondTrust 2021 | 11
Trusted Application Protection
▪ Proactive protection of the most vulnerable
and most actively exploited attack vector - High risk applications
end users
Browsers Office Outlook Adobe
▪ Protection against file-less malware Website Document Attachment PDF

▪ Out-of-the-box protection against majority of


malware and ransomware attacks via high Trusted Application Protection
risk applications

▪ Zero dependency on detection = protection


against unknown and 0day threats

Untrusted Script Hosts Utilities Trusted


TAP is included in (Payloads) (Fileless) (LOLBins)
out-of-the-box policy
templates

©BeyondTrust 2021 | 12
Malware Labs Demos:
• Trickbot
• Darkside
• Emotet

©BeyondTrust 2021 | 13
Summary
Trickbot Darkside
LOLBins and or malicious unsigned application Malicious unsigned application
Uses Admin Privileges Checks for admin privileges “IsUserAnAdmin”
UAC bypass via Fodhelper or Wsreset UAC bypass via ICMLuaUtil
Uses admin privileges to: Uses admin privileges to:
Disable Services and Tools via PowerShell Delete local backups
Disable Services and Tools

Emotet
LOLBins followed by malicious unsigned • Common theme of seeking and
application using privileges against the
Elevation via Advapi32
system
Uses admin privileges to: • Execution of unsigned
Manipulate Access Tokens applications introduced to disk
Process Injection • Abuse of native applications
(PowerShell)

©BeyondTrust 2021 | 14
Malware Labs Testing
• BeyondTrust Labs looked at malware Loader, 1%
MiniDuke, 1%
Cryptowall,
samples from Q1 2020 to Q1 2021 Maze, 2% 1%
Nanocore, 3%
• Focus on samples where full attack Formbook, 4%

chain could be seen NJRat, 9%


Emotet, 34%

• Distilled the results down to 150


malware attack chains
• Representing thousands of AgentTesla,
12%
malware variants.
• Emotet clearly dominated followed
closely by Trickbot
Loki, 14%
Trickbot, 19%

©BeyondTrust 2021 | 15
Most Common Initial Techniques
Common initial MITRE techniques:
• T1047 – WMI Launch process (35%)

• T1204.002 – User launched exe (22%)

• T1059.001 – PowerShell (17%)

• T1059.003 – CMD (15%)

©BeyondTrust 2021 | 17
Top 10 Execution & Persistence
T1204.002 User Execution (Unsigned Binary launched indirectly) 24.19%
T1059.001 PowerShell 20.52%
T1047 WMI to create process 12.10%
T1059.003 CMD 11.66%
T1053.005 Scheduled Task 6.26%
T1218.011 Rundll32 5.83%
T1059.005 Wscript 4.10%
T1547.001 Registry Run Keys 1.51%
T1218.005 Mshta 1.51%
T1027.004 Compile After Delivery 1.30%

[Link]
©BeyondTrust 2021 | 18
Testing Results
• All the 150 attack chains were
MiniDuke, 1%
tested using PMfW 21.3 Loader, 1%
Cryptowall,
Maze, 2% 1%
• Standard user Nanocore, 3%
Formbook, 4%
• Quick Start Policy with Trusted
Application Protection enabled NJRat, 9%
Emotet, 34%

• All 150 attack chains were broken


proactively
AgentTesla,
• By blocking known attack 12%

techniques, we can reduce the


attack surface #1
CISO
Loki, 14%
Trickbot, 19%

©BeyondTrust 2021 | 19
EPM Power Up – Get Me There Fast!
That all sounds amazing, but ….

• How long does it take to implement


EPM from scratch?
Difficulty Select
• How much configuration of the TAP • Easy
policies is required? Go Here!
Medium
Hard
• How long before I could be protected by Very Hard
the TAP rules shown?

• What if I already have EPM and my own


custom policy deployed?

©BeyondTrust 2021 | 20
©BeyondTrust 2021 | 21
Early Access!
BeyondTrust Labs:
Ransomware Threat Report 2021

In-depth analysis of the malware


trends of 2020-2021.

Check your inbox soon for a direct


link to the report.

©BeyondTrust 2021 | 22
©BeyondTrust 2021 | 23

You might also like