TrickBot, the famed Windows crimeware-as-a-service (CaaS) solution used by various threat actors to distribute next-stage payloads like ransomware, looks to be in the midst of a shift, with no new activity since the beginning of the year. According to a report by researchers at Intel 471, the halt in malware activities is “partially due to a big shift from Trickbot’s operators, including working with the operators of Emotet.”
Even while the malware’s command-and-control (C2) infrastructure continued to provide more plugins and web injects to infected nodes in the botnet, the last round of TrickBot attacks was recorded on December 28, 2021. Surprisingly, the drop in campaign volume has coincided with the TrickBot gang collaborating closely with the operators of Emotet, which resurfaced late last year after a 10-month hiatus due to law enforcement attempts to combat the malware.
The attacks, which began in November 2021, comprised an infection sequence that employed TrickBot to download and execute Emotet binaries, even though Emotet was frequently used to dump TrickBot samples before the shutdown.
“It’s likely that the TrickBot operators have phased TrickBot malware out of their operations in favor of other platforms, such as Emotet,” as said by the researchers. “TrickBot, after all, is relatively old malware that hasn’t been updated in a major way.”
Additionally, immediately after Emotet’s comeback in November 2021, Intel 471 discovered instances of TrickBot sending Qbot installations to the infected systems, highlighting the prospect of a behind-the-scenes shake-up to relocate to other platforms. With TrickBot becoming more visible to law enforcement in 2021, it’s not unexpected that the threat actor behind it is actively working to change tactics and improve their protective mechanisms.
As per an independent report issued last week by Advanced Intelligence (AdvIntel), the Conti ransomware gang is thought to have acqui-hired many elite TrickBot engineers to retire the malware in favor of upgraded tools like BazarBackdoor.
