The creators of the harmful TrickBot malware have emerged with new tricks aimed at widening the malware's dissemination routes, eventually culminating to the deployment of ransomware like Conti. According to a report by IBM X-Force, the threat actor known as ITG23 and Wizard Spider has been discovered to collaborate with other cybercrime gangs known as Hive0105, Hive0106 (aka TA551 or Shathak), and Hive0107, adding to a growing number of campaigns that the attackers are relying on to deliver proprietary malware.
TrickBot is a well-known banking Trojan that has been operating since October 2016, and its creators have kept it updated by adding new features. The botnet is still available via a multi-purpose malware-as-a-service (MaaS) model. Threat actors use the botnet to spread malware like Conti and Ryuk, which steals personal information and encrypts it. More than a million computers have been compromised by the Trickbot botnet so far.
"These and other cybercrime vendors are infecting corporate networks with malware by hijacking email threads, using fake customer response forms and social engineering employees with a fake call center known as BazarCall," researchers Ole Villadsen and Charlotte Hammond said.
Microsoft's Defender team, FS-ISAC, ESET, Lumen's Black Lotus Labs, NTT, and Broadcom's cyber-security division Symantec teamed forces in October to launch a concerted effort to shut down the infamous TrickBot botnet's command and control infrastructure. Despite the fact that Microsoft and its allies pulled the TrickBot infrastructure down, its operators sought to restart operations by bringing new command and control (C&C) servers online.
In a malware campaign aimed at corporate users earlier this year, the cybercrime group used email campaigns to send Excel documents and a call center ruse known as "BazaCall." The gang formed a collaboration with two notable cybercrime affiliates in June 2021, which included the use of hijacked email threads and bogus website consumer inquiry forms.
"This move not only increased the volume of its delivery attempts but also diversified delivery methods with the goal of infecting more potential victims than ever," the researchers said.
The Hive0107 affiliate is said to have adopted a new tactic in one infection chain observed by IBM in late August 2021, which involves sending email messages to target companies informing them that their websites have been performing distributed denial-of-service (DDoS) attacks on its servers, and urging the recipients to click on a link for more evidence. When the link is clicked, a ZIP archive containing a malicious JavaScript (JS) downloader is downloaded, which then contacts a remote URL to download the BazarLoader malware, which drops Cobalt Strike and TrickBot.