FireEye-Crowdstrike cyber security experts: The Russian cybercrime group behind Ryuk malware is using the TrickBot Trojan to penetrate the infected network. Then, it install its ransomware
A Russian cybercrime gang is partnering with another group to maximise profits ore is using multi-stage cyber attacks to earn money. FireEye and CrowdStrike cyber security experts found that Ryuk actors GRIM SPIDER, the ones behind the recent malware attack on many newspapers, used the TrickBot Trojan to gain access to the infected netwotk. Then, they manually infiltrate and install their ransomware. It’s not clear if they are working together with other cyber criminals (WIZARD SPIDER, the Russian operator of TrickBot) or if they rented or bought the malicious code. FireEye calls this type of access TEMP.MixMaster, which refers to any incidents that they have seen where Ryuk is installed following a TrickBot infection. “The TrickBot administrator group, which is suspected to be based in Eastern Europe, most likely provide the malware to a limited number of cyber criminal actors to use in operations,” the company’s research reports.
TrickBot Trojan is distribuited through large malspam campaigns. After installed, the cybercrime does the same with Ryuk, using the Empire tool
TrickBot Trojan is commonly distributed through large malspam campaigns. According to CrowdStrike, it also can be installed through the use of Emotet malware geo-based download function. The malicious campaigns exploit the baits of payments from big legitimate companies. The email message contains attachments that when opened and have macros enabled, download and install TrickBot on the victim’s computer. After the malware has been installed, a reverse shell would be created back to cybercrime actors, which allows them to remotely gain access to the infected system and then install Ryuk throughout the network. The tool used tipically is called Empire. It allows criminal actors to quickly distribute payloads through a network, while at the same time evading detection. These actors would use it to steal credentials on other computers in the network and then install the ransomware on high value targets.
Why the threat actor behind these new double cyber attacks is believed to come from Russia
Crowdstrike cyber security experts believe that the cybercrime actors operate from Russia. First of all, Ryuk ransomware is based on Hermes ransomware, developed by the North Korean group STARDUST CHOLLIMA (part of Lazarus network). But it was advertized on Russian-speaking forums. Then, it doesn’t work in Russia, Ukraine and Belarus. This functionality is commonly included by malware developers and sellers who are operating in Russia to reduce their risk of attracting local law enforcement’s attention and criminal prosecution. Then, some files were uploaded to a file-scanning website from an IP address in Moscow. Finally, during forensic investigation of a network compromised by GRIM SPIDER, CrowdStrike Services recovered artifacts with filenames in Russian.