Trickbot spreads malware through new distribution channels

TrickBot operators are back and expand the distribution channels with partnership with cybercrime affiliates.

The operators behind the infamous TrickBot (ITG23 and Wizard Spider) malware have resurfaced with new distribution channels to deliver malicious payloads, such as Conti ransomware.

The gang support other cybercrime groups such as known Hive0105, Hive0106 (aka TA551 or Shathak), and Hive0107, supporting them in expanding their malware campaigns.

“As of mid-2021, X-Force observed ITG23 partner with two additional malware distribution affiliates — Hive0106 (aka TA551) and Hive0107. These and other cybercrime vendors are infecting corporate networks with malware by hijacking email threads, using fake customer response forms and social engineering employees with a fake call center known as BazarCall, which is tracked as Hive0105. ” reads the post published by IBM X-Force.

The Trickbot botnet continues to evolve despite the operations conducted by law enforcement aimed at dismantling it. The authors recently implemented an update for the VNC module used for remote control over infected systems.

In October, Microsoft’s Defender team, FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, and Broadcom’s cyber-security division Symantec joined the forces and announced a coordinated effort to take down the command and control infrastructure of the infamous TrickBot botnet.

Even if Microsoft and its partners have brought down the TrickBot infrastructure, its operators attempted to resume the operations by setting up new command and control (C&C) servers online.

Following the takedown, the operators behind the TrickBot malware have implemented several improvements to make it more resilient.

TrickBot is a popular banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features. Operators continue to offer the botnet through a multi-purpose malware-as-a-service (MaaS) model. Threat actors leverage the botnet to distribute a broad range of malware including info-stealer and ransomware such as Conti and Ryuk. To date, the Trickbot botnet has already infected more than a million computers.

IBM X-Force researchers, along with Cylera analysts, analyzed a growing number of campaigns carried out by Trickbot operators to deliver proprietary malware, in some cases through other cybercrime groups such as Hive0105, Hive0106 and Hive0107.

Earlier this year, the cybercrime group relied on email campaigns delivering Excel documents and a call center ruse dubbed “BazaCall” in a malware campaign aimed at corporate users. Starting from June 2021, the group started a partnership with two prominent cybercrime affiliates that added the use of hijacked email threads and fraudulent website customer inquiry forms.

This partnership allowed Trickbot operators to increase the volume of messages in its malspam campaigns and to diversify the delivery methods.

In late August 2021, experts noticed that the Hive0107 affiliate was employing a new tactic that involves sending email messages to target companies informing them that their websites have been performing distributed denial-of-service (DDoS) attacks on its servers. The messages urge the recipients to click on a link for supposed evidence and how to solve the problem.

Upon clicking the link, it will download a ZIP archive containing a malicious JavaScript (JS) downloader (titled ‘Stolen Images Evidence.js’ or ‘DDoS attack proof and instructions on how to fix it.js.’) that contacts a remote URL to download the BazarLoader malware to drop Cobalt Strike and a PowerShell script.

“ITG23 has also adapted to the ransomware economy through the creation of the Conti ransomware-as-a-service (RaaS) and the use of its BazarLoader and Trickbot payloads to gain a foothold for ransomware attacks.” concludes the report. “This latest development demonstrates the strength of its connections within the cybercriminal ecosystem and its ability to leverage these relationships to expand the number of organizations infected with its malware.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cyber security)

[adrotate banner=”5″]

[adrotate banner=”13″]