This advisory was updated to include information on Conti, TrickBot, and BazarLoader, including new IOCs and Yara Rules for detection.
This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). This advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health (HPH) Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain.
CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.
Click here for a PDF version of this report.
- CISA, FBI, and HHS assess malicious cyber actors are targeting the HPH Sector with TrickBot and BazarLoader malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services.
- These issues will be particularly challenging for organizations within the COVID-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments.
The cybercriminal enterprise behind TrickBot, which is likely also the creator of BazarLoader malware, has continued to develop new functionality and tools, increasing the ease, speed, and profitability of victimization. These threat actors increasingly use loaders—like TrickBot and BazarLoader (or BazarBackdoor)—as part of their malicious cyber campaigns. Cybercriminals disseminate TrickBot and BazarLoader via phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware. Loaders start the infection chain by distributing the payload; they deploy and execute the backdoor from the command and control (C2) server and install it on the victim’s machine.
What began as a banking trojan and descendant of Dyre malware, TrickBot now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk and Conti.
In early 2019, the FBI began to observe new TrickBot modules named Anchor, which cyber actors typically used in attacks targeting high-profile victims—such as large corporations. These attacks often involved data exfiltration from networks and point-of-sale devices. As part of the new Anchor toolset, TrickBot developers created
anchor_dns, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling.
anchor_dns is a backdoor that allows victim machines to communicate with C2 servers over DNS to evade typical network defense products and make their malicious communications blend in with legitimate DNS traffic.
anchor_dns uses a single-byte
XOR cipher to encrypt its communications, which have been observed using key
0xB9. Once decrypted, the string
anchor_dns can be found in the DNS request traffic.
TrickBot Indicators of Compromise
After successful execution of the malware, TrickBot copies itself as an executable file with a 12-character randomly generated file name (e.g.
mfjdieks.exe) and places this file in one of the following directories.
Once the executable is running and successful in establishing communication with C2s, the executable places appropriate modules downloaded from C2s for the infected processor architecture type (32 or 64 bit instruction set), to the infected host’s
%PROGRAMDATA% directory, such as
%AppData\Roaming\winapp. Some commonly named plugins that are created in a Modules subdirectory are (the detected architecture is appended to the module filename, e.g.,
injectDllwith a directory (ex.
injectDLL64_configs) containing configuration files:
mailsearcherwith a directory (ex.
mailsearcher64_configs) containing configuration file:
networkDllwith a directory (ex. networkDll64_configs) containing configuration file:
FAQ with the assigned bot ID of the compromised system is created in the malware directory. Filename
Readme.md containing the TrickBot campaign IDs is created in the malware directory.
The malware may also drop a file named
anchorDiag.txt in one of the directories listed above.