Ransomware Attacks Target Healthcare Sector

Share On Facebook
Share On Twitter
Share On Linkedin

Author: Jeremy Ware and Darby Wise

TLP:WHITE

1.  Executive Summary

On 28 October, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) published a joint advisory on threat actors targeting the Healthcare and Public Health (HPH) sector.1 This report details the threat actors’ use of Trickbot and BazarLoader malware to distribute ransomware, steal sensitive data, and attempt to interfere with healthcare services.

BazarLoader and Trickbot are two malware loaders that threat actors tend to distribute via phishing campaigns. In these attacks targeting U.S. hospitals and healthcare providers, threat actors used these loaders to distribute follow-on malware including Ryuk and Conti ransomware.

The report also details a new malware tool from the Trickbot developers called anchor_dns. This tool is a part of Anchor, a Trickbot module first observed in 2019, when it was used against large corporations and other high-profile organizations. Threat actors use anchor_dns to send and receive sensitive data from the victim’s machine via Domain Name System (DNS) tunneling.

The joint report included a list of indicators of compromise (IOCs) associated with Trickbot, anchor_dns and BazarLoader, many of which Infoblox has incorporated into its security products since April of this year. We included the full list of indicators at the end of this report, along with additional IOCs we were able to find in our own research.

2.  Analysis

                 2.1.  Trickbot and Anchor_dns

Trickbot is a banking trojan that was first discovered in 2016. Threat actors primarily distribute it through malspam campaigns, or as a secondary payload to other malware such as Emotet. Since its initial discovery, Trickbot has evolved to include a full suite of tools to harvest credentials, deploy cryptominers or ransomware, and exfiltrate a multitude of data types. For a detailed analysis of Trickbot’s attack chain, see the joint advisory or one of Infoblox’s previous reports on this malware.2,3

Anchor_dns is a backdoor tool created by the Trickbot developers as part of the toolset module named Anchor.4 With anchor_dns, threat actors communicate between the victim’s machine and the command and control (C&C) servers via DNS tunneling to mimic legitimate traffic and thereby evade detection. Anchor_dns is also known to use an ‘exclusive or’ (XOR) cipher for encryption with the key 0xB9.

                 2.2.  BazarLoader and BazarBackdoor

BazarLoader and BazarBackdoor are believed to have been created by the threat actors behind Trickbot and were first observed in early 2020. They work together to infect the victim’s machine, communicate with the C&Cs, and according to the alert have become increasingly popular means of deploying ransomware. In the attack against the HPH sector, they downloaded Ryuk and Conti ransomware.

Threat actors have distributed BazarLoader two ways: first, via phishing emails that carry malicious attachments; second, via links directing users to malicious DOC or PDF file on a legitimate document hosting site such as Google Drive.5 Once the user downloads the file, BazarLoader drops the payload for BazarBackdoor, which the threat actor then uses to exploit the host machine and network.

                 2.3.  Ryuk Ransomware

Threat actors often distribute Ryuk ransomware as a follow-on payload from banking trojans such as Trickbot or Emotet. Ryuk is a derivative of Hermes,6 a ransomware variant that injects malicious dynamic-link library (DLL) files into the memory of the victim’s machine, and then spreads laterally across a victim’s network. Once the Ryuk payload is dropped, it uses Advanced Encryption Standard (AES)-256 keys to encrypt the victim’s files. The ransomware then drops a RyukReadMe file on the victim’s machine instructing them to contact a provided Protonmail-encrypted email address for further instructions on the ransom amount and specific Bitcoin wallet to which the victim must submit their payment. Infoblox has previously written on Ryuk, providing an in-depth analysis on its distribution, attack chain, etc. For a more detailed attack chain, refer to the joint advisory or our previous report on Ryuk.7

3.  Prevention and Mitigation

CISA, FBI and HHS provide a set of recommendations to prevent or mitigate the effects of these kinds of cyberattacks. We include some below but a more extensive list, including preventative measures against specific ransomware, can be found in the joint report.

Network best practices:

  • Patch operating systems, software, and firmware as soon as manufacturers release updates.
  • Regularly validate secure configurations and ensure local administration is enabled for all operating systems of organization-owned assets.
  • Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
  • Use multi-factor authentication where possible.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Audit logs to ensure new accounts are legitimate.
  • Scan for open or listening ports and mediate those that are not needed.
  • Identify critical assets; create backups of these systems and house the backups offline from the network.
  • Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
  • Set antivirus and anti-malware solutions to automatically update; conduct regular scans.

Ransomware mitigation best practices:

  • Regularly back up data, air gap, and password protect backup copies offline.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.

4.  Indicators of Compromise

Indicator

 Description
kostunivo[.]com

chishir[.]com

mangoclone[.]com

onixcellent[.]com

biillpi[.]com

Trickbot domains

23[.]95[.]97[.]59

51[.]254[.]25[.]115

193[.]183[.]98[.]66

91[.]217[.]137[.]37

87[.]98[.]175[.]85

64[.]44[.]133[.]134

66[.]70[.]218[.]54

209[.]99[.]40[.]222

209[.]99[.]40[.]223

185[.]158[.]248[.]251

96[.]9[.]73[.]73

96[.]9[.]77[.]142

45[.]89[.]127[.]92

36[.]89[.]106[.]69

103[.]76[.]169[.]213

36[.]91[.]87[.]227

5[.]2[.]78[.]118

185[.]90[.]61[.]69

185[.]90[.]61[.]62

86[.]104[.]194[.]30

31[.]131[.]21[.]184

195[.]123[.]242[.]119

51[.]81[.]113[.]25

Trickbot C&C servers

272602c23c69ff189ba778eff6a03cfa3a76e01423103abcdf54afe5d1c52b6d

a4483e475c6aaf235b747e99d720709ab110f68fc100802096a3566dc0da907b

0d644d9e462fa82835ada36eaafa23521272fb8e08616fef33a9d3b8c74f735b

D11866e458626e81d4aa4bd9fdb441bec5a684ccaf7b786acddb95377d66b72f

 Trickbot SHA256
Sersd[.]xyz

Hunopk[.]xyz

Xyved[.]xyz

mugtre[.]xyz

BazarLoader domains
62[.]108[.]35[.]103

86[.]104[.]194[.]108

BazarLoader C&Cs

31bfe5b4514382dc550445bbdde3c281256b878c83409edcc1540dd790d25ea1

3e3008cf6a8335dbda7d120bf79c7f4f7393b98351e70b26b5d385880a1017ff

B6ec3a1f620913caf7b47450d2c74fb2f483eab50804a0e34b6c09827d21e728

bf1b48ea7cd8812f6d2e8f7cd620dd79f3ffc383ac9d907086df8a1e414ea96c

 BazarLoader SHA256
6bf0900bbe9e98d2ba63f50aff91e5d8fa1165ac6a4c75a76c9a0c436a2bf305

2aa995b0a818fa730f176f261b23dab7a32d49de598ad7dbb35f913a1fa4bd48

d584e868f867c6251e115b7909559da784f25b778192c6a24e49685f80257e4d

137ecfef47e767c9bf6db5d958800201c058e4d69321fb736a880508f9697ac5

3c4b9645d821827d367ec4e605a708186fb29e7780db97a693220146701730e5

18d347001057c68c4f2ad1d2f5af73e2dfa69aa46466fa43b40d7da360b79c01

9469f92e61d75e88ccc854ac6febd2df4a2a5ee7ec4ecea152b82e05df905325

D5440b90f2392f378b84be359201cb2870681d9483ec692bd16a8b00ec22122b

9f2a5f2ca86b24191370315c30a78f8adda1a04e3acac4edb3ac8f1cdc58c20c

Anchor_DNS SHA256

Endnotes

  1. https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf
  2. https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–77
  3. https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–66
  4. https://cyware.com/news/trickbot-anchor-malware-infects-both-linux-and-windows-systems-cfbe68d7
  5. https://isc.sans.edu/forums/diary/BazarLoader+phishing+lures+plan+a+Halloween+party+get+a+bonus+and+be+fired+in+the+same+afternoon/26710/?_hsmi=98108296&_hsenc=p2ANqtz–ljGhOfCvkpHP8QWsJI_dK73jhzUQ9j6RbjdLkFIt6nKwC8do9_OP1H0Q48uebHH3uwRmjJrDysxbqidQpjcy1LlVdm4yqXjEO27OANzPnnM6BoEE
  6. https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–5
  7. https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–3

Labels:

Infoblox Threat Intel

Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access give us a backstage pass to the internet's inner workings. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get the benefits of it, along with ridiculously low false positive rates.

View All Posts

You might also be interested in

You might also be interested in

×