The operators behind the Trickbot banking trojan have added several new malware distribution channels with the aim of infecting a broader range of victims.
Researchers with IBM X-Force in a Wednesday report said that the prolific malware gang (also known as ITG23 or Wizard Spider) started working with two new distribution affiliates in June. The partnering groups are TA551 (also known as Shathak or Hive0106), a threat group that previously delivered the IcedID, Valak and QakBot malware families via large-scale phishing campaigns; and a threat group that researchers call Hive0107, which was seen distributing IcedID in early 2021.
“The new affiliates have added the use of hijacked email threads and fraudulent website customer inquiry forms,” said Ole Villadsen, senior analyst with IBM X-Force. “This move not only increased the volume of its delivery attempts but also diversified delivery methods with the goal of infecting more potential victims than ever.”
Previously, Trickbot’s operators have been “adept at using its distribution channels to increase scale and drive profits,” partnering with malware operators including IcedID in order to reach more potential victims, said researchers.
Researchers first detected TA551 distributing the Trickbot trojan at the end of June. The threat group sent emails to victims that leveraged existing, legitimate correspondence - stolen from email clients during prior infections - as a way to earn recipients’ trust.
These emails contained an archive file with a malicious attachment. Once the attachment was opened and macros was enabled, the document dropped an HTML file, which would download TrickBot.
Researchers also observed Hive0107 targeting organizations in the U.S. with Trickbot as well as BazarLoader, starting in mid-May. The threat group informed targeted companies that their websites were performing distributed denial-of-service (DDoS) attacks on its servers and provided a link that purportedly would “fix” the issue. Once clicked, these links instead downloaded a ZIP archive containing a malicious JScript downloader. This downloader executed BazarLoader, which ultimately downloaded TrickBot.
“Legitimate email services abused by Hive0107 are then used to deliver the content entered into the customer inquiry form via email to staff within the targeted organization,” said Villadsen. “This technique might allow Hive0107 to bypass some security measures since the email would arrive from a known sender.”
“This trend increases the ability of ITG23 to infect more enterprise users, raises the risk of ransomware attacks and demands vigilance and employee awareness training."
Researchers said they believe the end goal of these campaigns was to initiate ransomware attacks, noting that the increase in Trickbot and BazarLoader deliveries likely led to a corresponding increase in Conti ransomware attacks since June.
That’s because banking trojans like Trickbot are increasingly being used as first-stage malware in cyberattacks, with Proofpoint researchers in June saying that these types of trojans represented almost 20 percent of malware observed in identified campaigns in the first half of 2021.
“This trend increases the ability of ITG23 to infect more enterprise users, raises the risk of ransomware attacks and demands vigilance and employee awareness training,” said Villadsen. “X-Force expects to continue seeing it for the remainder of the year.”
The cybercrime gang behind the Trickbot banking trojan was first identified in 2016. Since then, the operators have also developed other malware families, including the BazarLoader and the Anchor backdoor. They have also over time evolved Trickbot into a modular malware family, which has been utilized to download additional malware, such as Conti or the Ryuk ransomware, in addition to stealing financial details, account credentials, and personally identifiable information (PII).
Though the U.S. government and Microsoft both conducted separate operations attempting to disrupt Trickbot’s infrastructure in 2020, the cybercriminals returned shortly after to conduct spam campaigns. Since then, Villadsen said that this past year, the group has repositioned itself among the top of the cybercriminal industry - and IBM researchers expect that to continue into the next year.
“ITG23 has also adapted to the ransomware economy through the creation of the Conti ransomware-as-a-service (RaaS) and the use of its BazarLoader and Trickbot payloads to gain a foothold for ransomware attacks,” said Villadsen. “This latest development demonstrates the strength of its connections within the cybercriminal ecosystem and its ability to leverage these relationships to expand the number of organizations infected with its malware.”
Villadsen said that organizations can protect themselves by implementing a variety of security measures such as network monitoring and multi-factor authentication.
“We also recommend user awareness training about the variety of creative approaches that ITG23's distribution affiliates use to trick users into ‘clicking on the link,’” he said.