The operators behind the pernicious TrickBot malware have
resurfaced with new tricks that aim to increase its foothold by
expanding its distribution channels, ultimately leading to the
deployment of ransomware such as Conti.
The threat actor, tracked under the monikers ITG23 and Wizard
Spider, has been found to partner with other cybercrime gangs known
Hive0105, Hive0106 (aka TA551 or Shathak), and Hive0107, adding to
a growing number of campaigns that the attackers are banking on to
deliver proprietary malware, according to a report by IBM
X-Force.
“These and other cybercrime vendors are infecting corporate
networks with malware by hijacking email threads, using fake
customer response forms and social engineering employees with a
fake call center known as BazarCall,” researchers Ole Villadsen and
Charlotte Hammond said[1].
Since emerging on the threat landscape in 2016, TrickBot has
evolved from a banking trojan to a modular Windows-based crimeware
solution, while also standing out for its resilience[2], demonstrating the
ability to maintain and update its toolset and infrastructure
despite multiple efforts by law enforcement and industry groups to
take it down. Besides TrickBot, the Wizard Spider group has been
credited with the development of BazarLoader and a backdoor called
Anchor[3].
While attacks mounted earlier this year relied on email
campaigns delivering Excel documents and a call center ruse dubbed
“BazaCall[4]” to deliver malware to
corporate users, recent intrusions beginning around June 2021 have
been marked by a partnership with two cybercrime affiliates to
augment its distribution infrastructure by leveraging hijacked
email threads and fraudulent website customer inquiry forms on
organization websites to deploy Cobalt Strike payloads.
“This move not only increased the volume of its delivery
attempts but also diversified delivery methods with the goal of
infecting more potential victims than ever,” the researchers
said.
In one infection chain observed by IBM in late August 2021, the
Hive0107 affiliate is said to have adopted a new tactic that
involves sending email messages to target companies informing that
their websites have been performing distributed denial-of-service
(DDoS) attacks on its servers, urging the recipients to click on a
link for additional evidence. Once clicked, the link instead
downloads a ZIP archive containing a malicious JavaScript (JS)
downloader that, in turn, contacts a remote URL to fetch the
BazarLoader malware to drop Cobalt Strike and TrickBot.
“ITG23 has also adapted to the ransomware economy through the
creation of the Conti ransomware-as-a-service (RaaS) and the use of
its BazarLoader and Trickbot payloads to gain a foothold for
ransomware attacks,” the researchers concluded. “This latest
development demonstrates the strength of its connections within the
cybercriminal ecosystem and its ability to leverage these
relationships to expand the number of organizations infected with
its malware.”