Attackers lean on malware like Zloader and BazarLoader to distribute ransomware in recent months

Commodity Trojans, open source renaissance tools, and certain Windows utilities were used to execute the attacks of ransomware operators over the last 3 months. This data comes from the Cisco Talos Incident Response (CTIR) team, who has handled these incidents.

Data collected between November 2020 and January 2021 show phishing emails with malicious documents used as a vehicle to deliver these Trojans. The result is ransomware downloaded on the victim’s systems.

The difference in these attacks and recent ones where Emotet and Trickbot malware were used are that many of the Trojans used recently were commodity tools such as IceID, Zloader, and BazarLoader. In fact, almost 70% of the attacks the CTIR team responded to over the last quarter were using these Trojans or similar ransomware.

Why is this trend so troublesome? General manager Brad Garnett of the CTIR team notes that commodity Trojans are easy to obtain. These Trojans also have multiple capabilities for lateral movement, which increases the effectiveness of the ransomware attacks.

Data from CTIR’s incident response interactions confirm that ransomware continues to dominate the threat landscape. This has held true for the last 7 quarters straight, and includes ransomware families such as WastedLocker, Vatet, Ruyk, and variations of Egregor.

The Chosen Tools

Attackers of these ransomware incidents continue taking advantage of certain open source and admin tools to administer attacks. These avenues also allow ransomware operators to move laterally within compromised networks and also give them the ability to hide malicious activity.

65% of the incidents the CTIR team responded to involved the use of PowerShell, while 30% involved PsExec. Other commonly used tools by attackers include CCleaner, Cobalt Strike, TightVNC, and WinRAR.

Misusing Open Source Tools & Utilities

Several recent incidents included open source tools such as the Active Directory (AD) search utility ADFind, the AD information-gathering tool ADRecon, and the Bloodhound tool for visualizing AD environments and finding potential attack paths.

How exactly are ransomware operates abusing these tools? In one incident, the CTIR team found that attackers took advantage of the Group Policy replication feature in Windows AD to install Ryuk ransomware.

Then, the ransomware operators were able to leverage PsExec to execute remote commands. Eventually, domain administrator (DA) credentials were obtained and attackers used it to encrypt over 1,000 endpoints and wipe backup indexes.

Solutions for Enterprises

The CTIR team notes that ransomware incidents continue to pose the greatest threats to enterprises. Email security and phishing training prove to be essential, as phishing remains the primary source of infection for attacks.

Enterprises are encouraged to utilize multifactor authentication, disable legacy protocols, and limit the use of certain authoritative Windows tools in trusted accounts.

Attacks Beyond Ransomware Incidents

While ransomware has been the primary threat, the CTIR team also noted that there have been multiple instances involving updates to SolarWinds’ Orion network management technology laced with malware.

Over 18,000 organizations were impacted worldwide. Only one of the incidents, investigated by Cisco Talos, involved post-compromise activity. In this incident, the attackers set up a PowerShell script. This script appeared to be designed to receive additional code, likely to carry out malevolent activity.

More Ransomware Incidents Are Anticipated

CTIR anticipates more SolarWinds-related incidents in the current quarter, with Garnett noting that the scope and impact of these incidents are likely bigger than what is currently known. Recent threats involving China-based Hafnium group are also expected to continue appearing, which have targeted critical vulnerabilities in Microsoft Exchange Server.