- The campaign is reported to target companies in the USA as well as those operating from Europe.
- In the attack, Emotet is used to drop TrickBot, which then steals sensitive information and downloads the Ryuk ransomware into the victims’ computers.
A new, unique malware campaign has been recently detected by a group of security researchers. The campaign includes a concoction of well-known banking trojans Emotet and TrickBot, as well as the nascent Ryuk ransomware.
Experts from security firm Cybereason have tracked this campaign’s activity and observed that it was primarily aimed at European and American companies. Just like most of the modern attack campaigns, this one also used weaponized Word documents in phishing emails which download the malware trio.
- The attack campaign employs the Emotet trojan to deliver TrickBot. This serves the only purpose of Emotet as observed by the researchers. It did not launch its own malicious activities.
- TrickBot now steals information from victims’ computers and then downloads Ryuk ransomware. The trojan collects a variety of data that includes passwords, email files, browser data and registry keys.
- Ryuk ransomware, downloaded by TrickBot, encrypts the compromised computers after the latter has gathered all the sensitive information. The information is now ransomed for payment.
- According to Cybereason, the campaign also used many ‘advanced persistence, lateral movement, and detection evasion measures’ to successfully penetrate a network.
TrickBot cripples the defense system
Once it enters the system, the banking trojan works its way to disable the computer’s defense system. “In order to ensure persistence, TrickBot creates a scheduled task and a service. To reduce the likelihood of being detected by an antimalware product, TrickBot also tries to disable and delete Windows Defender,” Cybereason wrote.
Ultimately, this trio of malware can wreak havoc and take down large networks that belong to organizations.