Attackers Behind Trickbot Expand Malware Distribution Channels


The operators behind the pernicious TrickBot malware have resurfaced with new tricks that aim to increase their presence by expanding their distribution channels, ultimately leading to the deployment of ransomware like Conti.

The threat actor, who has been followed by the names ITG23 and Wizard Spider, has been found to be associated with other cybercrime gangs known as Hive0105, Hive0106 (aka TA551 or Shathak) and Hive0107, which is adds to a growing number of campaigns attackers are betting on. deliver proprietary malware, according to a report from IBM X-Force.

“These and other cybercrime providers are infecting corporate networks with malware by hijacking email threads, using fake customer response forms, and social engineering employees with a fake call center known as BazarCall,” said investigators Ole Villadsen. and Charlotte Hammond.

Since emerging on the threat landscape in 2016, TrickBot has evolved from a banking Trojan to a modular Windows-based criminal software solution, while also standing out for its resilience, demonstrating the ability to maintain and update its suite of tools and tools. infrastructure despite multiple efforts by law enforcement agencies. and industry groups to eliminate it. In addition to TrickBot, the Wizard Spider group is credited with developing the BazarLoader and a backdoor named Anchor.

While the attacks mounted earlier this year relied on email campaigns delivering Excel documents and a call center ruse called “BazaCall” to deliver malware to corporate users, recent intrusions that started around June 2021 featured a partnership with two cybercrime affiliates to increase their distribution infrastructure. leveraging hijacked email threads and fraudulent website customer inquiry forms on organization websites to implement Cobalt Strike payloads.

“This measure not only increased the volume of their delivery attempts, but also diversified delivery methods with the goal of infecting more potential victims than ever before,” the researchers said.

In a chain of infection observed by IBM in late August 2021, affiliate Hive0107 is said to have adopted a new tactic consisting of sending emails to target companies reporting that their websites have been conducting distributed denial attacks. service (DDoS) on their servers, prompting recipients to click a link for additional evidence. Once clicked, the link downloads a ZIP file containing a malicious JavaScript (JS) downloader which, in turn, contacts a remote URL to search for the BazarLoader malware and drop Cobalt Strike and TrickBot.

“ITG23 has also adapted to the ransomware economy by creating Conti’s ransomware-as-a-service (RaaS) and using its BazarLoader and Trickbot payloads to gain a foothold in ransomware attacks,” concluded the researchers. “This latest development demonstrates the strength of their connections within the cybercriminal ecosystem and their ability to leverage these relationships to expand the number of organizations infected with their malware.”

Source: The Hacker News

Leave a Reply

Your email address will not be published. Required fields are marked *