Security researchers from Cybereason shed new light into the workings of TrickBot.
TrickBot and Shathak Threat Groups Join Forces
According to the latest findings, the threat actors behind the TrickBot trojan, known as Wizard Spider, are currently working together with the TA551 (Shathak) threat group to distribute TrickBot and BazarBackdoor malware, which are then used to deploy Conti ransomware on compromised systems. The threat actors have been using the malware loaders to deploy Conti since March 2021.
Cybereason is warning organizations about malicious spam distributed by Shathak threat actors, in the form of password-protected archive files attached to phishing emails. The files contain malicious documents laced with macros that download and execute either TrickBot or BazarBackdoor. The threat actors conduct other activities, including reconnaissance, credential theft, and data exfiltration, prior to launching the malicious operations.
“The macro drops a Microsoft Hypertext Markup Language (HTML) Applications (HTA) file on the file system and then executes the file using the mshta.exe Windows utility. Malicious actors use mshta.exe to execute malicious HTA files and bypass application control solutions that do not account for the malicious use of the Windows utility,” the report said.
The final payload of the malicious operating is Conti ransomware. Previous similar campaigns have been used to deliver Ryuk.
It is noteworthy that recent versions of TrickBot include malware-loading capabilities. TrickBot has been long known for supporting various attack campaigns carried out by different threat groups. Both common criminals and nation-state actors have used the backdoor.
“TrickBot has played a major role in many attack campaigns conducted by different threat actors, from common cybercriminals to nation-state actors. These campaigns have often involved the deployment of ransomware such as the Ryuk ransomware,” the report noted.
Conti is a high-level Russian-speaking ransomware threat actor specializing in double extortion operations where data encryption and data exfiltration happens simultaneously. One of the latest updates of the ransomware included the capability to destroy data backups. https://sensorstechforum.com/conti-ransomware-destroying-data-backups/