TrickBot and Emotet strains make process injection most prevalent attack technique

A Red Canary study analyzed six million leads to determine threats and found that worms had the most significant impact in 2019.

Researchers at cybersecurity firm Red Canary analyzed approximately 15,000 confirmed threats in 2019 to figure out what threats are the most prevalent, finding that worms—which the report says are "threats that leverage automated lateral movement to infect as many systems as possible"—had the most significant impact on this year's rankings. In Red Canary's 2020 Threat Detection Report, the company analyzed six million investigative leads from January 2019 to December 2019, honing in on the most prevalent cyberattack techniques faced by organizations worldwide. 

Because Red Canary's data is based on updated security operations and analysis, and not solely incident response, its team has unique optics in tradecraft and trends that span the attack lifecycle. Malware strains like TrickBot and Emotet were widespread according to threat detection and response specialists at Red Canary. 

"An abundance of threats exhibiting worm-like behavior is perhaps the clearest trend from the 2020 Threat Detection Report, and TrickBot is the main driver of this activity. Another trend that stands out is the use of remote administration and network management tools for lateral movement and execution," the report said.

"The use of worms, TrickBot and/or remote admin tools doesn't account for the prevalence of these techniques entirely, but they play a major role. Anecdotally, worms became increasingly common throughout the latter half of the 2010s. This trend was underscored first by a rash of ransomware incidents affecting hospitals in 2016, WannaCry and NotPetya outbreaks in 2017, and more recently by large-scale ransomware attacks on municipal government organizations in 2019. The 2020 Threat Detection Report not only backs this trend up with data, it also offers specific examples of how this new paradigm often plays out," according to the study.

SEE: 10 ways to minimize fileless malware infections (free PDF) (TechRepublic)

The report found that based on the percentage of total threats, the top 10 techniques used in attacks were process injection, which represented 17% of all threats, scheduled tasks and Windows admin shares at 13%, PowerShell, remote file copy, masquerading, scripting, DLL search order hijacking, domain trust discovery, and disabling security tools. 

According to Red Canary detection engineer Jason Killam, process injection is a technique used by cyberattackers to mix malicious activity with operating system processes that are fairly routine.

"Its most useful function may be that arbitrary code, once injected into a legitimate process, can inherit the privileges of that process or, similarly, access parts of the operating system that shouldn't be otherwise available," Killam wrote.

Scheduled tasks are similarly designed to take advantage of normal functions by allowing cybercriminals to take certain actions at prespecified times, enabling execution, persistence, and privilege escalation.

Red Canary director of advanced threat detection and research Michael Haag said that Scheduled Tasks are a functionally necessary component of the Windows operating system, adding that they execute routinely, and malicious tasks readily blend in with benign ones. 

"Scheduled Tasks represent a versatile tool for adversaries. With the requisite privileges, an attacker can schedule tasks remotely. The technique is also useful for execution and persistence in conjunction with a variety of widely used scripting languages, such as PowerShell," Haag said.

Detection engineer Keya Horiuchi wrote that Windows Admin Shares are enabled by default on most Windows systems and because they are often used to handle remote host management, they give attackers a simple way to silently move laterally within an environment. 

Self-propagating ransomware and cryptocurrency miners, both rapidly emerging threats, rely on Windows Admin Shares, according to Horiuchi.

All of these techniques were part of efforts to spread different kinds of malware that served different criminal purposes. The study explains that TrickBot, Emotet and Ryuk ransomware were all used together to extract as much information as possible and inflict significant damage. 

"TrickBot is frequently part of a trio of infections that starts with the Emotet trojan and ends in a Ryuk ransomware infection. In essence, Emotet infects its hosts and loads TrickBot, which steals credentials from infected machines as it moves laterally around a network. Once TrickBot has run its course, it drops the Ryuk ransomware, which encrypts all of the infected hosts on a network and demands a ransom payment to unlock them," the report found. 

Techniques like process injection were key to TrickBot's functionality because they could run arbitrary code through a Windows Service Host, while other attacks like spearphishing attachments and Powershell were leveraged more by Emotet. 

Part of why process injection was so high on the list was because most of Red Canary's customers came to them with concerns after Emotet had already done its damage and TrickBot was infecting a significant amount of their devices. For other companies where Red Canary is more involved in security monitoring, they were able to spot and stop Emotet threats before they were able to spread through a system. 

The report also broke down the report by the threats prominent in each industry. For education, scheduled tasks and Windows admin shares were the most prominent, while finance and retail companies suffered most from techniques like PowerShell and credential dumping. 

The retail and energy industries were plagued most by PowerShell, while healthcare, manufacturing and technology were attacked most with process injection.

Keith McCammon, Red Canary co-founder and chief security officer, said that organizations should understand the threat landscape and techniques used by attackers in order to prioritize their investments in both technology and expertise. 

"Start by looking at the top 10 holistically, not as a list of disparate techniques. Pay attention to what the techniques have in common—many leverage core platform features, or are powerful administrative tools. They're things you can't disable, but must control," McCammon said.

"In many cases, you have options ranging from point products all the way to free, readily available operating system features, he said. "Next, implement as much visibility as you can afford. You can't detect, investigate, or respond to threats that you can't see. Gaining visibility puts you in a position to detect the threats that your preventative controls miss. Finally, get value from this visibility by implementing and operationalizing great detection coverage. This should include threat intelligence, detection engineering, triage, and analysis."

Also see

worm

Image: Getty Images/iStockphoto