The TrickBot trojan’s operators are partnering with the Shathak threat group to distribute their wares, which would eventually lead to the deployment of Conti ransomware on compromised devices.
In a report analysing recent malware distribution campaigns undertaken by the group, Cybereason security analysts Aleksandar Milenkoski and Eli Salem said “The implementation of TrickBot has evolved over the years, with recent versions of TrickBot implementing malware-loading capabilities.”
“TrickBot has played a major role in many attack campaigns conducted by different threat actors, from common cybercriminals to nation-state actors.”
Last month, IBM X-Force published a research that revealed TrickBot’s collaborations with other cybercrime gangs, including Shathak, to deploy proprietary malware. Shathak, also tracked under the moniker TA551, is a sophisticated cybercrime actor that targets end-users on a global scale and distributes malware through password-protected ZIP archives containing macro-enabled Office documents.
The TrickBot gang, also known as ITG23 or Wizard Spider, is responsible for developing and maintaining Conti ransomware, and leasing access to the malicious software to affiliates through the Ransomware-as-a-Service (RaaS) model.
Shathak infection chains typically start with sending phishing emails embedded with malware-laced Word documents, which then lead to the deployment of TrickBot or BazarBackdoor malware, which is then used as a conduit to deploy Cobalt Strike beacons and the ransomware, but not before conducting reconnaissance, lateral movement, credential theft, and data exfiltration activities.
The average Time-to-Ransom (TTR) after the compromises, according to Cybereason experts, was two days. TTR refers to the time between when a threat actor gains initial access into a network to the time when the threat actor actually deploys the ransomware.
The findings are released as the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) reported that as of September 2021, there have been 400 Conti ransomware attacks targeting US and international organizations.
The agencies recommend enforcing a various mitigating measures to secure networks against Conti ransomware, including “requiring multi-factor authentication (MFA), implementing network segmentation, and keeping operating systems and software up to date.”