The operators behind the pernicious TrickBot malware have resurfaced with new tricks that aim to increase its foothold by expanding its distribution channels, ultimately leading to the deployment of ransomware such as Conti.
The threat actor, tracked under the monikers ITG23 and Wizard Spider, has been found to partner with other cybercrime gangs known Hive0105, Hive0106 (aka TA551 or Shathak), and Hive0107, adding to a growing number of campaigns that the attackers are banking on to deliver proprietary malware, according to a report by IBM X-Force.
“These and other cybercrime vendors are infecting corporate networks with malware by hijacking email threads, using fake customer response forms and social engineering employees with a fake call center known as BazarCall,” researchers Ole Villadsen and Charlotte Hammond said.
Since emerging on the threat landscape in 2016, TrickBot has evolved from a banking trojan to a modular Windows-based crimeware solution, while also standing out for its resilience, demonstrating the ability to maintain and update its toolset and infrastructure despite multiple efforts by law enforcement and industry groups to take it down. Besides TrickBot, the Wizard Spider group has been credited with the development of BazarLoader and a backdoor called Anchor.