Summary
The FBI identified a new trend of banking trojan infections and PowerShell Empire activity preceding BitPaymer ransomware attacks. The FBI normally issues Flash Reports like this when there is a marked increase in attack activity and exploit reports from victims. H-ISAC urges all members to take this Flash Report seriously and follow the recommended actions and mitigation techniques.
Dridex is the most observed precursor trojan leading to BitPaymer attacks, while Emotet, Trickbot, Ursnif and Qakbot infections have also been observed. Dridex is frequently delivered using macro documents during spam campaigns and along with its predecessor Bugat, Dridex has facilitated financial fraud by targeting US organizations since 2011. PowerShell Empire, an open source penetration testing framework, is used by malicious actors to conduct post-exploitation activity on compromised networks prior to delivering the BitPaymer ransomware payload.
The actors use Empire’s modules for lateral movement, reconnaissance and privilege escalation to gain domain administrator access on victim networks, which facilitates the widest possible encryption of critical assets once BitPaymer ransomware is deployed.
Bitpaymer ransomware has been previously detected on the infrastructure of third parties with relationships in the healthcare sector. While the Dridex Banking Trojan appears to be primarily focused on compromising banking infrastructure, the healthcare sector has also seen an impact due to relationships with parties infected with Bitpaymer.
What Does Dridex Banking Trojan Do?
The Dridex banking trojan is malware designed to infect computers, steal banking credentials, and then steal money from financial institutions. Once installed, Dridex can capture and exfiltrate HTTPS web activity, screenshots, and stored certificates. It can execute files, blacklist URLs, redirect URLs, retrieve system configuration information, and install additional malware on infected machines.
What Should I Do To Mitigate Possible Risk?
The FBI recommends that security professionals and system administrators who identify a Dridex infection or PowerShell Empire activity on their networks take immediate steps to mitigate the threat of a potential follow-on ransomware attack, to include backing up sensitive or proprietary data.
Additional mitigations include:
- Implement a data backup and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks and should not be updated in real time, which could increase the likelihood of encryption once ransomware is deployed. Limit access to cloud based backups and implement two factor authentication if possible to prevent or delay deletion of backups prior to encryption by attackers.
- Upgrade PowerShell to the newest version with enhanced logging features, and centralize logs to detect commonly used malware-related PowerShell commands.
- Implement separation of duties or dual authorization procedures for money transfers above a specified threshold.
- Audit and increase security controls and password requirements for all network protocols, which could be used to move laterally or gain access to a network, specifically: file-sharing protocols, such as SMB, and remote network protocols, such as RDP, SSH, VPN, Telnet, and VNC. Recent malware loaders and other banking trojans have also introduced SMB bruteforce capability for internal propagation.
- Limit and audit accessible files via SMB shares. Recommend limiting SMB accessibility through Active Directory Group Policies.
- Audit privileged accounts, and implement principle of least privilege, especially for administrator accounts. Routinely audit administrator and business critical user accounts.
- Monitor for SSL or TLS traffic over non-standard ports.
- Implement an update and patch management cycle.
- Install and regularly update anti-virus or anti-malware software on hosts.
- Implement an incident management system, and prepare an incident response plan for rapid deployment in case of a cyber intrusion.
- Implement application whitelisting to block the execution of malware, or at least block execution of files from TEMP directories, from which most phishing malware attempts to execute.
- Patch all systems for critical vulnerabilities, prioritizing timely patching of Internet connected systems for known vulnerabilities, and software processing Internet data, such as Web browsers, browser plugins, and document readers.
- Scrutinize attachments and Web site hyperlinks contained in e-mails, and do not open attachments included in unsolicited e-mails.
- Require strong password requirements for local administrators to inhibit lateral movement across workstations and do not log into workstations via domain administrator credentials.
- Require a password to disable anti-virus wherever possible.
How Can I Tell If There Has Been A Compromise ?
Dridex IOCs:
- explorer.exe has port 443 listening and there is a firewall rule allowing network traffic for that process.
- “whoami /all” and “net.exe” are run in combination from the same parent process.
- Directories matching the expression %SYSTEM%\[0-9] {4}, and containing a legitimate executable next to a .dll or .cpl file. This would be a newly created folder beneath System whose name is four digits long and contains a random legitimate .exe file copied from System32 and a Trojan .dll or .cpl file saved there with it.
- Scheduled tasks executing a file in the path %SYSTEM%\[0-9] {4} every 60 minutes.
- A file named z5122.exe observed in C:\Windows\Temp.
- Dridex is often mislabeled as Emotet, and vice versa, because these two pieces of malware may employ a common packer. If the anti-virus product alert was triggered by a packer signature, the alert may misidentify the actual malware sample. Unpacking and examining the sample is necessary to confirm the initial identification by the anti-virus product.
Powershell Empire IOCs:
- Event ID 4688 in security event logs for PowerShell.exe process start.
- Sysmon: Event ID 3 – TCP/UDP traffic that has “PowerShell.exe” in the image attribute.
- Windows Event Logs may show PowerShell launcher string: “PowerShell -noP –sta –w 1 -enc”
- Use of PowerShell scripts (Base64 encoded).
- In some incidents a service called “Updater” (event ID 7045) is installed and running.
- May be running as a scheduled task and likely connecting to C2 for instructions.
- Windows event logs may still contain the Base64 encoded script activity.
- Memory analysis can reveal the entire Empire agent plaintext in memory. No obfuscation is done at this point.
- Empire agents utilize a default user agent string of Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
- Empire C2 beacons are designed to blend in with normal network activity by using common ports (TCP 80; 443) and the following three benign-looking URIs: /login/process.php, /admin/get.php, and /news.php.
- PowerShell stager written to HKLM:SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion\RUN registry key
Bitpaymer IOCs:
- Psexec (Type 3 logon) or RDP (Type 10 logon). Scripts used by the attackers to launch the ransomware payload use psexec and contain the domain account credentials and network hostnames of the target machines within the script or in associated files.
- Current versions will include the target company’s name as the extension for encrypted files while older infections (pre-December 2018) used “.locked” as the file extension.
- BitPaymer has been known to replicate itself in the following folders:
- C:\Users\%username%\AppData\Local\<random name>\<random name>.exe
- C:\Users\%username%\AppData\Local\Temp
- A unique file, like Q5397.temp, is generated with the text: "Delete shadows all" and "exit"
- BitPaymer spawns two copies of itself in the AppData folder
- Uses Alternate Data Streams (ADS) to hide
- Filenames are unique per victim. Example of an ADS file name, D1NKh:exe. Recent variations use :bin instead of :exe to name ADS
- runs Net.exe to map and unmap network drives
