Author: Jeremy Ware and Darby Wise
1. Executive Summary
On 28 October, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) published a joint advisory on threat actors targeting the Healthcare and Public Health (HPH) sector.1 This report details the threat actors’ use of Trickbot and BazarLoader malware to distribute ransomware, steal sensitive data, and attempt to interfere with healthcare services.
BazarLoader and Trickbot are two malware loaders that threat actors tend to distribute via phishing campaigns. In these attacks targeting U.S. hospitals and healthcare providers, threat actors used these loaders to distribute follow-on malware including Ryuk and Conti ransomware.
The report also details a new malware tool from the Trickbot developers called anchor_dns. This tool is a part of Anchor, a Trickbot module first observed in 2019, when it was used against large corporations and other high-profile organizations. Threat actors use anchor_dns to send and receive sensitive data from the victim’s machine via Domain Name System (DNS) tunneling.
The joint report included a list of indicators of compromise (IOCs) associated with Trickbot, anchor_dns and BazarLoader, many of which Infoblox has incorporated into its security products since April of this year. We included the full list of indicators at the end of this report, along with additional IOCs we were able to find in our own research.
2.1. Trickbot and Anchor_dns
Trickbot is a banking trojan that was first discovered in 2016. Threat actors primarily distribute it through malspam campaigns, or as a secondary payload to other malware such as Emotet. Since its initial discovery, Trickbot has evolved to include a full suite of tools to harvest credentials, deploy cryptominers or ransomware, and exfiltrate a multitude of data types. For a detailed analysis of Trickbot’s attack chain, see the joint advisory or one of Infoblox’s previous reports on this malware.2,3
Anchor_dns is a backdoor tool created by the Trickbot developers as part of the toolset module named Anchor.4 With anchor_dns, threat actors communicate between the victim’s machine and the command and control (C&C) servers via DNS tunneling to mimic legitimate traffic and thereby evade detection. Anchor_dns is also known to use an ‘exclusive or’ (XOR) cipher for encryption with the key 0xB9.
2.2. BazarLoader and BazarBackdoor
BazarLoader and BazarBackdoor are believed to have been created by the threat actors behind Trickbot and were first observed in early 2020. They work together to infect the victim’s machine, communicate with the C&Cs, and according to the alert have become increasingly popular means of deploying ransomware. In the attack against the HPH sector, they downloaded Ryuk and Conti ransomware.
Threat actors have distributed BazarLoader two ways: first, via phishing emails that carry malicious attachments; second, via links directing users to malicious DOC or PDF file on a legitimate document hosting site such as Google Drive.5 Once the user downloads the file, BazarLoader drops the payload for BazarBackdoor, which the threat actor then uses to exploit the host machine and network.
2.3. Ryuk Ransomware
Threat actors often distribute Ryuk ransomware as a follow-on payload from banking trojans such as Trickbot or Emotet. Ryuk is a derivative of Hermes,6 a ransomware variant that injects malicious dynamic-link library (DLL) files into the memory of the victim’s machine, and then spreads laterally across a victim’s network. Once the Ryuk payload is dropped, it uses Advanced Encryption Standard (AES)-256 keys to encrypt the victim’s files. The ransomware then drops a RyukReadMe file on the victim’s machine instructing them to contact a provided Protonmail-encrypted email address for further instructions on the ransom amount and specific Bitcoin wallet to which the victim must submit their payment. Infoblox has previously written on Ryuk, providing an in-depth analysis on its distribution, attack chain, etc. For a more detailed attack chain, refer to the joint advisory or our previous report on Ryuk.7
3. Prevention and Mitigation
CISA, FBI and HHS provide a set of recommendations to prevent or mitigate the effects of these kinds of cyberattacks. We include some below but a more extensive list, including preventative measures against specific ransomware, can be found in the joint report.
Network best practices:
- Patch operating systems, software, and firmware as soon as manufacturers release updates.
- Regularly validate secure configurations and ensure local administration is enabled for all operating systems of organization-owned assets.
- Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
- Use multi-factor authentication where possible.
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
- Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
- Audit logs to ensure new accounts are legitimate.
- Scan for open or listening ports and mediate those that are not needed.
- Identify critical assets; create backups of these systems and house the backups offline from the network.
- Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
- Set antivirus and anti-malware solutions to automatically update; conduct regular scans.
Ransomware mitigation best practices:
- Regularly back up data, air gap, and password protect backup copies offline.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.
4. Indicators of Compromise
Trickbot C&C servers