Lessons from the Lab:

An Expert Guide to
Trickbot, DarkSide &
Other Malware of 2021

©BeyondTrust 2021 | 1
 Presented By:

James Maude Paul Davies

Lead Cyber Security Researcher Sr. Solutions Architect

©BeyondTrust 2021 | 2
Agenda
• Where are we now in the evolution of malware/ransomware?
• How do attacks succeed?
• How understanding the techniques helps us prevent attacks?
• What part Endpoint Privilege Management (EPM) solutions play
• How do we make prevention achievable?

APT = Average Preventable Threat?

©BeyondTrust 2021 | 3
News Stories

©BeyondTrust 2021 | 4
The Evolution of Ransomware
Archievus Reveton Cryptolocker Wannacry REvil Darkside

2005 2012 2013 2017 2019 2021

Basic Ransomware – Automated Single Endpoint

Business Ransomware – Automated Single Endpoint

Enterprise Ransomware – Automated Multiple Endpoints
Tailored Ransomware – Manually
Orchestrated

Single Threat Single Threat Multiple Threats

Static Dynamic Highly Dynamic
Limited Privileges Exploited Privileges Extensive Privileges

©BeyondTrust 2021 | 5
MITRE ATT&CK® is a globally-accessible
knowledge base of adversary tactics and
techniques based on real-world
observations.

"Although 82% of respondents

know about ATT&CK, only 8%
are using ATT&CK regularly.“
- The State of MITRE ATT&CK® Threat-Informed Defence
2021

©BeyondTrust 2021 | 6
Trickbot / Ryuk – Attack Chain
T1566 - Phishing Initial Access – Trickbot via phishing email

T1548.002 – UAC Bypass Execution & Local Elevation - Cobalt Strike or PowerShell Empire

T1134 – Access Token Manipulation

Credential Access – Using LaZange, Mimikatz or other tools
T1003/T1003.001 – Credential Dumping

T1055 – Process Injection Privilege Escalation – Control over Valid Admin Accounts

T1053 – Scheduled Task/Job

Persistence – New Domain Admin (DA) Accounts
T1078 – Valid Accounts: Domain Accounts

T1087 – Account Discovery

Discovery – Recon and enumeration using Bloodhound
T1033 – System Owner/User Discovery

T1035 – Service Execution Lateral Movement – PsExec or other tools

T1562 – Impair Defenses Defense Evasion – Tampering with A/V & security services

T1086 – Data Encrypt for Impact Impact – Invoke Ryuk ransomware payload

©BeyondTrust 2021 | 7
Prevention is Better
Than the Cure

©BeyondTrust 2021 | 8
Mitigations
“Start byagainst attack
taking care techniques:
of the basics: build a solid
M1026 - Privileged
cybersecurity AccountbyManagement
foundation implementing the [CIS
M1018 - User
Controls], Accountapplication
especially Management white-listing (sic),
M1052standard secure configuration,
- User Account Control reduction of
administrative
M1038 privileges
- Execution and a quick patching process.”
Prevention

Zurich Insurance Group

Risk Nexus: Overcome by cyber risks?
Economic benefits and costs of
alternative cyber futures
Switzerland

©BeyondTrust 2021 | 9
Level Up Defenses

©BeyondTrust 2021 | 10
Level Up Defences

©BeyondTrust 2021 | 11
 Trusted Application Protection
▪ Proactive protection of the most vulnerable
and most actively exploited attack vector - High risk applications
end users
Browsers Office Outlook Adobe
▪ Protection against file-less malware Website Document Attachment PDF

▪ Out-of-the-box protection against majority of

malware and ransomware attacks via high Trusted Application Protection
risk applications

▪ Zero dependency on detection = protection

against unknown and 0day threats

Untrusted Script Hosts Utilities Trusted

TAP is included in (Payloads) (Fileless) (LOLBins)
out-of-the-box policy
templates

©BeyondTrust 2021 | 12
Malware Labs Demos:
• Trickbot
• Darkside
• Emotet

©BeyondTrust 2021 | 13
Summary
Trickbot
LOLBins and or malicious unsigned application
Uses Admin Privileges
UAC bypass via Fodhelper or Wsreset
Uses admin privileges to:
Disable Services and Tools via PowerShell
Darkside
Malicious unsigned application
Checks for admin privileges “IsUserAnAdmin”
UAC bypass via ICMLuaUtil
Uses admin privileges to:
Delete local backups
Disable Services and Tools

Emotet
LOLBins followed by malicious unsigned • Common theme of seeking and
application using privileges against the
Elevation via Advapi32
system
Uses admin privileges to: • Execution of unsigned
Manipulate Access Tokens applications introduced to disk
Process Injection • Abuse of native applications
(PowerShell)

©BeyondTrust 2021 | 14
Malware Labs Testing
• BeyondTrust Labs looked at malware Loader, 1%
MiniDuke, 1%
Cryptowall,
samples from Q1 2020 to Q1 2021 Maze, 2% 1%
Nanocore, 3%
• Focus on samples where full attack Formbook, 4%

chain could be seen NJRat, 9%

Emotet, 34%

• Distilled the results down to 150

malware attack chains
• Representing thousands of AgentTesla,
12%
malware variants.
• Emotet clearly dominated followed
closely by Trickbot
Loki, 14%
Trickbot, 19%

©BeyondTrust 2021 | 15
Most Common Initial Techniques
Common initial MITRE techniques:
• T1047 – WMI Launch process (35%)

• T1204.002 – User launched exe (22%)

• T1059.001 – PowerShell (17%)

• T1059.003 – CMD (15%)

©BeyondTrust 2021 | 17
Top 10 Execution & Persistence
T1204.002 User Execution (Unsigned Binary launched indirectly) 24.19%
T1059.001 PowerShell 20.52%
T1047 WMI to create process 12.10%
T1059.003 CMD 11.66%
T1053.005 Scheduled Task 6.26%
T1218.011 Rundll32 5.83%
T1059.005 Wscript 4.10%
T1547.001 Registry Run Keys 1.51%
T1218.005 Mshta 1.51%
T1027.004 Compile After Delivery 1.30%

https://lolbas-project.github.io/
©BeyondTrust 2021 | 18
Testing Results
• All the 150 attack chains were
MiniDuke, 1%
tested using PMfW 21.3 Loader, 1%
Cryptowall,
Maze, 2% 1%
• Standard user Nanocore, 3%
Formbook, 4%
• Quick Start Policy with Trusted
Application Protection enabled NJRat, 9%
Emotet, 34%

• All 150 attack chains were broken

proactively
AgentTesla,
• By blocking known attack 12%

techniques, we can reduce the

attack surface #1
CISO
Loki, 14%
Trickbot, 19%

©BeyondTrust 2021 | 19
EPM Power Up – Get Me There Fast!
That all sounds amazing, but ….

• How long does it take to implement

EPM from scratch?
Difficulty Select
• How much configuration of the TAP • Easy
policies is required? Go Here!
Medium
Hard
• How long before I could be protected by Very Hard
the TAP rules shown?

• What if I already have EPM and my own

custom policy deployed?

©BeyondTrust 2021 | 20
©BeyondTrust 2021 | 21
Early Access!
BeyondTrust Labs:
Ransomware Threat Report 2021

In-depth analysis of the malware

trends of 2020-2021.

Check your inbox soon for a direct

link to the report.

©BeyondTrust 2021 | 22
©BeyondTrust 2021 | 23