TrickBot Gang Shifted its Focus on “Systematically” Targeting Ukraine

In what’s being described as an “unprecedented” twist, the
operators of the TrickBot malware have resorted to systematically
targeting Ukraine since the onset of the war in late February
2022.

The group is believed to have orchestrated at least six phishing
campaigns aimed at targets that align with Russian state interests,
with the emails acting as lures for delivering malicious software
such as IcedID, CobaltStrike, AnchorMail, and Meterpreter^[1].

Tracked under the names ITG23, Gold Blackburn^[2], and Wizard Spider, the
financially motivated cybercrime
gang^[3] is known for its
development of the TrickBot banking trojan and was subsumed^[4]
into the now-discontinued Conti ransomware cartel^[5]
earlier this year.

But merely weeks later, the actors associated with the group
resurfaced with a revamped version of the AnchorDNS^[6]
backdoor called AnchorMail^[7]
that uses SMTPS and IMAP protocols for command-and-control
communications.

“ITG23’s campaigns against Ukraine are notable due to the extent
to which this activity differs from historical precedent and the
fact that these campaigns appeared specifically aimed at Ukraine
with some payloads that suggest a higher degree of target
selection,” IBM Security X-Force analyst Ole Villadsen said^[8]
in a technical report.

A noticeable shift in the campaigns involves the use of
never-before-seen Microsoft Excel downloaders and the deployment of
CobaltStrike, Meterpreter, and AnchorMail as first-stage payloads.
The attacks are said to have commenced in mid-April 2022.

Interestingly, the threat actor leveraged the specter of nuclear
war in its email ruse to spread the AnchorMail implant, a tactic that would be repeated^[9] by the Russian
nation-state group tracked as APT28 two months later to spread
data-stealing malware in Ukraine.

What’s more, the Cobalt Strike sample deployed as part of a May
2022 campaign utilized a new crypter dubbed Forest to evade
detection, the latter of which has also been used in conjunction
with the Bumblebee malware^[10], lending credence to
theories that the loader is being operated by the TrickBot
gang.

“Ideological divisions^[11] and allegiances^[12] have increasingly
become apparent within the Russian-speaking cybercriminal ecosystem
this year,” Villadsen noted. “These campaigns provide evidence that
Ukraine is in the crosshairs of prominent Russian cybercriminal
groups.”

The development comes as Ukrainian media outlets have been
targeted^[13] with phishing messages^[14] containing
malware-laced documents that exploit the Follina vulnerability to
drop the DarkCrystal RAT^[15] on compromised
systems.

The Computer Emergency Response Team of Ukraine (CERT-UA) has
also warned^[16] of intrusions conducted
by a group called UAC-0056 that involves striking state
organizations with staffing-themed lures to drop Cobalt Strike
Beacons on the hosts.

The agency, last month, further pointed
out^[17] the use of Royal Road RTF weaponizer^[18] by a China-based actor
codenamed the Tonto Team^[19] (aka Karma Panda) to
target scientific and technical enterprises and state bodies
located in Russia with the Bisonal malware^[20].

Attributing these attacks with medium confidence to the advanced
persistent threat (APT) group, SentinelOne said^[21] the findings^[22] demonstrate^[23] “a continued effort” on
the part of the Chinese intelligence apparatus to target a wide
range of Russian-linked organizations.