Professional Documents
Culture Documents
Lessons From The Lab: An Expert Guide To Trickbot, Darkside & Other Malware of 2021
Lessons From The Lab: An Expert Guide To Trickbot, Darkside & Other Malware of 2021
An Expert Guide to
Trickbot, DarkSide &
Other Malware of 2021
©BeyondTrust 2021 | 1
Presented By:
©BeyondTrust 2021 | 2
Agenda
• Where are we now in the evolution of malware/ransomware?
• How do attacks succeed?
• How understanding the techniques helps us prevent attacks?
• What part Endpoint Privilege Management (EPM) solutions play
• How do we make prevention achievable?
©BeyondTrust 2021 | 3
News Stories
©BeyondTrust 2021 | 4
The Evolution of Ransomware
Archievus Reveton Cryptolocker Wannacry REvil Darkside
©BeyondTrust 2021 | 5
MITRE ATT&CK® is a globally-accessible
knowledge base of adversary tactics and
techniques based on real-world
observations.
©BeyondTrust 2021 | 6
Trickbot / Ryuk – Attack Chain
T1566 - Phishing Initial Access – Trickbot via phishing email
T1548.002 – UAC Bypass Execution & Local Elevation - Cobalt Strike or PowerShell Empire
T1055 – Process Injection Privilege Escalation – Control over Valid Admin Accounts
T1562 – Impair Defenses Defense Evasion – Tampering with A/V & security services
T1086 – Data Encrypt for Impact Impact – Invoke Ryuk ransomware payload
©BeyondTrust 2021 | 7
Prevention is Better
Than the Cure
©BeyondTrust 2021 | 8
Mitigations
“Start byagainst attack
taking care techniques:
of the basics: build a solid
M1026 - Privileged
cybersecurity AccountbyManagement
foundation implementing the [CIS
M1018 - User
Controls], Accountapplication
especially Management white-listing (sic),
M1052standard secure configuration,
- User Account Control reduction of
administrative
M1038 privileges
- Execution and a quick patching process.”
Prevention
©BeyondTrust 2021 | 9
Level Up Defenses
©BeyondTrust 2021 | 10
Level Up Defences
©BeyondTrust 2021 | 11
Trusted Application Protection
▪ Proactive protection of the most vulnerable
and most actively exploited attack vector - High risk applications
end users
Browsers Office Outlook Adobe
▪ Protection against file-less malware Website Document Attachment PDF
©BeyondTrust 2021 | 12
Malware Labs Demos:
• Trickbot
• Darkside
• Emotet
©BeyondTrust 2021 | 13
Summary
Trickbot Darkside
LOLBins and or malicious unsigned application Malicious unsigned application
Uses Admin Privileges Checks for admin privileges “IsUserAnAdmin”
UAC bypass via Fodhelper or Wsreset UAC bypass via ICMLuaUtil
Uses admin privileges to: Uses admin privileges to:
Disable Services and Tools via PowerShell Delete local backups
Disable Services and Tools
Emotet
LOLBins followed by malicious unsigned • Common theme of seeking and
application using privileges against the
Elevation via Advapi32
system
Uses admin privileges to: • Execution of unsigned
Manipulate Access Tokens applications introduced to disk
Process Injection • Abuse of native applications
(PowerShell)
©BeyondTrust 2021 | 14
Malware Labs Testing
• BeyondTrust Labs looked at malware Loader, 1%
MiniDuke, 1%
Cryptowall,
samples from Q1 2020 to Q1 2021 Maze, 2% 1%
Nanocore, 3%
• Focus on samples where full attack Formbook, 4%
©BeyondTrust 2021 | 15
Most Common Initial Techniques
Common initial MITRE techniques:
• T1047 – WMI Launch process (35%)
©BeyondTrust 2021 | 17
Top 10 Execution & Persistence
T1204.002 User Execution (Unsigned Binary launched indirectly) 24.19%
T1059.001 PowerShell 20.52%
T1047 WMI to create process 12.10%
T1059.003 CMD 11.66%
T1053.005 Scheduled Task 6.26%
T1218.011 Rundll32 5.83%
T1059.005 Wscript 4.10%
T1547.001 Registry Run Keys 1.51%
T1218.005 Mshta 1.51%
T1027.004 Compile After Delivery 1.30%
https://lolbas-project.github.io/
©BeyondTrust 2021 | 18
Testing Results
• All the 150 attack chains were
MiniDuke, 1%
tested using PMfW 21.3 Loader, 1%
Cryptowall,
Maze, 2% 1%
• Standard user Nanocore, 3%
Formbook, 4%
• Quick Start Policy with Trusted
Application Protection enabled NJRat, 9%
Emotet, 34%
©BeyondTrust 2021 | 19
EPM Power Up – Get Me There Fast!
That all sounds amazing, but ….
©BeyondTrust 2021 | 20
©BeyondTrust 2021 | 21
Early Access!
BeyondTrust Labs:
Ransomware Threat Report 2021
©BeyondTrust 2021 | 22
©BeyondTrust 2021 | 23