Russian Cybercrime Trickbot Group is systematically attacking Ukraine

The operators behind the TrickBot malware are systematically targeting Ukraine since the beginning of the war in February 2022.

IBM researchers collected evidence indicating that the Russia-based cybercriminal Trickbot group (aka Wizard Spider, DEV-0193, ITG23) has been systematically attacking Ukraine since the beginning of the Russian invasion of the country.

Since February, the Conti ransomware group has taken over TrickBot malware operation and also planned to replace it with BazarBackdoor malware.

Between mid-April and mid-June of 2022, the Trickbot group has conducted at least six campaigns against entities in Ukraine. The experts observed the threat actors deploying multiple malware IcedID, CobaltStrike, AnchorMail, and Meterpreter. Experts pointed out that prior to the Russian invasion, the Trickbot gang hasn’t targeted Ukraine and the malware used by the group was configured to not execute on systems using the Ukrainian language.

“ITG23’s campaigns against Ukraine are notable due to the extent to which this activity differs from historical precedent and the fact that these campaigns appeared specifically aimed at Ukraine with some payloads that suggest a higher degree of target selection,” reads a technical report published by IBM Security X-Force. “The systematic attacks observed against Ukraine include reported and suspected phishing attacks against Ukrainian state authorities, Ukrainian individuals and organizations, and the general population.”

The campaign resulted in the theft of sensitive data and the deployment of ransomware to damage Ukrainian’s economy.

In some of the attacks, threat actors used an Excel document named Nuclear.xls, suggesting an alarming lure. Once opened, the document downloads a WinRAR self-extracting archive (SFX) that delivers the AnchorMail backdoor to the victim’s system. Experts also observed attacks dropping IcedID and CobaltStrike.

Another novelty in the attacks observed by IBM researchers is the use of a new crypter, dubbed Forest, to evade detection of the Cobalt Strike beacons employed in the intrusion. The Forest crypted was used in attacks that also employed the Trickbot Bumblebee malware.

“Although we have yet to observe similar activity on a wider scale, these campaigns provide evidence that Ukraine is in the crosshairs of prominent Russian cybercriminal groups. Ukraine has been targeted with a wide variety of cyber activity leading up to and since the invasion, including distributed-denial-of-service (DDoS) attacks and defacements and attempted destructive activity attributed to Russian state-sponsored actors.” concludes IBM.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

[adrotate banner=”5″]

[adrotate banner=”13″]