Trickbot Malware Group Expanding Distribution Channels
- By Dawna M. Roberts
- Published: Oct 27, 2021
- Last Updated: Mar 18, 2022
IBM’s X-Force reports that threat actors using Trickbot have expanded their distribution channels to allow them more coverage and the use of Conti ransomware along with their usual Trickbot and BazarLoader malware.
Who is Using Trickbot?
A hacker group known as ITG23 and Wizard Spider works closely with a few other ransomware groups such as Hive0105, Hive0106 (aka TA551 or Shathak), and Hive0107.
IBM’s X-Force researchers Ole Villadsen and Charlotte Hammond stated that “These and other cybercrime vendors are infecting corporate networks with malware by hijacking email threads, using fake customer response forms and social engineering employees with a fake call center known as BazarCall.”
First reported by Security Intelligence online, IBM X-Force has witnessed an uptick in activity from this group, especially in regards to the expanded distribution channels and use of Conti ransomware.
According to the Hacker News, “TrickBot has evolved from a banking trojan to a modular Windows-based crimeware solution, while also standing out for its resilience, demonstrating the ability to maintain and update its toolset and infrastructure despite multiple efforts by law enforcement and industry groups to take it down. Besides TrickBot, the Wizard Spider group has been credited with the development of BazarLoader, and a backdoor called Anchor.”
Attacks earlier this year relied on an email campaign, and the use of a fake Excel spreadsheet targeted corporations. The ruse nicknamed BazarCall sent emails pretending to be from a call center support representative. However, since this summer, threat researchers have noticed a partnership between cybercrime affiliates “leveraging hijacked email threads and fraudulent website customer inquiry forms on organization websites to deploy Cobalt Strike payloads.”
“This move not only increased the volume of its delivery attempts but also diversified delivery methods with the goal of infecting more potential victims than ever,” the researchers said.
What Did IBM Witness?
In August, IBM noted a particular attack in which bad actors sent corporate users emails claiming their websites had been used in distributed denial-of-service (DDoS) attacks and then urged recipients to click a link to see further information. If the user clicked the link, the malicious website downloaded a ZIP file with a malicious JavaScript (JS) file, which then contacted a control server and downloaded BazarLoader malware to drop Cobalt Strike and TrickBot to the infected computer.
The Hacker News explains, “ITG23 has also adapted to the ransomware economy through the creation of the Conti ransomware-as-a-service (RaaS) and the use of its BazarLoader and Trickbot payloads to gain a foothold for ransomware attacks,” the researchers concluded. “This latest development demonstrates the strength of its connections within the cybercriminal ecosystem and its ability to leverage these relationships to expand the number of organizations infected with its malware.”
How to Stay Safe from Trickbot
Experts say that the move to additional channels and expansion is an effort to infect as many victims as possible as quickly as they can. Trickbot and BazarLoader are very serious malware strains capable of extensive damage when used in extortion attacks. Trickbot has evolved since its early days as a banking trojan. The software is now a modular family of products that can easily steal credentials and install additional backdoors like Ryuk and Conti.
Trickbot is not a threat to be ignored. Some tips for end-users and corporate professionals include:
- Always use super strong passwords and don’t reuse them anywhere else.
- Turn on two-factor or multi-factor authentication on all your accounts.
- Use robust antivirus on all devices.
- Never share credentials with anyone.
- Always verify the sender of any email or SMS text message before taking any action.
