More than a year after the Trickbot and Conti syndicate shut down, researchers said that the various members behind the group have splintered out into a web of threat groups that continue to communicate amongst themselves and rely on shared infrastructure.
In order to better understand where the members associated with the Trickbot and Conti operation (also tracked as ITG23) landed, researchers with IBM Security X-Force scrutinized 13 crypters that had previously been attributed to and used by the group since 2021. Crypters are applications used to load malware on the victim’s system while avoiding antivirus and signature-based detection methods by encrypting and obfuscating the code. Many of these crypters are still being actively used by threat groups like Quantum, Royal and BlackBasta, giving security researchers a trail of breadcrumbs that show how former syndicate operators continue to work together in a post-Trickbot and Conti world.
“The use of the crypters by members of multiple former ITG23 factions signals a high level of communication and cooperation between these actors, challenging the assumption that the new factions are all separate or distinct groups,” said IBM Security X-Force researchers in a Tuesday analysis.
The Trickbot cybercrime group was active for years and had a tight-knit relationship with the Conti ransomware group. When Trickbot eventually shut down in 2021, the Conti group reportedly took over the well-known malware operation. The cybercrime syndicate targeted hospitals, schools, government agencies and other sensitive organizations.
Crypters in a Post-Conti World
After the Trickbot/Conti syndicate faced several law enforcement crackdowns in 2022, coupled with leaks of Conti’s internal playbook, they shut down, and their operators scattered out across a number of smaller, unique threat groups. These groups developed their own operations that have mainly centered around ransomware or data extortion, and have used new commodity malware tools.
However, IBM Security’s research shows that these fractured threat groups still share the crypters that were previously affiliated with the Trickbot/Conti syndicate. The Conti leaks revealed that the threat group operated a centralized team that were in charge of developing crypters and that started automating the crypting process using a Jenkins build automation server.
Due to the complexity of some of these crypters, and the time and experience needed by developers to create them, it makes sense for threat actors to reuse or share them instead of frequently writing brand new ones, said Charlotte Hammond, malware reverse engineer with IBM Security X-Force.
“It takes an experienced malware developer to create an effective crypter, and then maintain and update it, which may be something that not every group has access to,” said Hammond. “Also, many of the crypters are under continuous development, and these regular updates are often enough to significantly reduce AV detection, and so creating new ones are not needed if the existing ones are still effective.”
With all that in mind, finding one of these crypters on a file sample "is a strong indication" that its developer, distributer, or operator is either linked to the Trickbot/Conti syndicate or has had a partnership with the group, said researchers.
Cracking the Crypter Code
The crypters have been used alongside malware that was previously leveraged in Trickbot or Conti attacks, such as Emotet, IcedID, Qakbot and Bumblebee. But they have also appeared alongside new malware families, such as SVCReady, CargoBay, Matanbuchus, Pikabot, Aresloader, Vidar, Minodo, and LummaC2 Stealer, said researchers.
These have included the Dave crypter, which researchers said is still under regular development with multiple variants. Many threat groups frequently use Dave in attacks that have been linked to at least 15 current malware families. Researchers earlier this year, for instance, observed the Dave loader being used in a February campaign with a new backdoor that they called Domino, which they believe was created by developers associated with the FIN7 cybercriminal group.
Researchers also discovered two new crypters that they linked to former Trickbot/Conti developers. The Forest crypter (also known as the Bumblebee loader due to its deployment alongside the known Bumblebee malware), which was found in March 2022, has been used frequently in campaigns over the past year alongside the IcedID, Qakbot, CobaltStrike and Gozi malware families (in addition to Bumblebee). The second new crypter, Snow, was observed in December 2022 and includes an overlap in its code with the now-retired Hexa crypter, also attributed to Trickbot/Conti, leading researchers to conclude that this is likely a successor to Hexa. This crypter has been leveraged in IcedID, Qakbot, Gozu and Pikabot malware campaigns.
More than half of the crypters studied by researchers, meanwhile, have not been observed in use since the first half of 2022. Researchers believe that the lack of activity surrounding these crypters - which include Galore, Rustic, Hexa, Charm and Graven - could be tied to the disruption that Trickbot/Conti faced during this time.
“We do not know the exact reasons why many of the crypters have not been seen since early 2022, but it is possible that during the period of disruption, key members of the development team left, or access to the crypter code or automation server was somehow lost,” said Hammond.
Threat Landscape Grows More Complex
The research highlights how the threat landscape is becoming more complex, with threat actors partnering together, shutting down or rebranding. At the same time, it’s becoming easier for cybercriminals to develop and operate sophisticated threat groups.
“This dynamic definitely challenges attribution, making it increasingly difficult to assign attacks to specific actors,” said Ole Villadsen, senior threat analyst with IBM Security X-Force. “Enterprises will need to accept that attributing an attack to specific threat actors may be very difficult to do, requiring a focus instead on defending against the tactics, techniques, and procedures that are in use across a range of cybercriminal groups rather than specific to a few.”
While this certainly complicates analysis for security researchers, IBM Security researchers said that the shared use of crypters can help the industry better map out new versus old players in the threat landscape, and understand how cybercriminals are sharing and leveraging known tools in attacks.
“Detecting and tracking the crypters allows us to identify a much broader range of malware in use with ITG23 and its partners; in other words - it is more ‘bang for the buck’ in terms of where to focus for detection,” said Villadsen. “After having detected the crypter on a file, we know that we are very likely looking at malware or tools that are related to ITG23 activity, and from there we can zero in on the specific tool or malware after having made the detection.”