TrickBot Gang Extends its Reach Thanks to New Distribution Affiliate

True to form, cybercriminals continue to evolve in the ways they operate as well as the TTPs (techniques, tactics, and procedures) they employ to carry out their attacks. One of their more insidious recent strategies is to effectively crowdsource malicious activities via various distribution affiliates. Now, one of the most pervasive malware threats of recent times, the TrickBot gang, has expanded its reach by adopting additional malware distribution services.

TrickBot emerged as a banking credential theft Trojan in 2016. However, it has evolved to become what you could call a modular malware enterprise software. Its modular nature means it can continuously be modified with new features and capabilities and be combined with other malware to launch more successful attacks. For example, while TrickBot’s core code acts as a man-in-the-browser (MiTB) agent, it’s often used as a primer for Ryuk ransomware infections.

With LIFARS Ransomware Response Package, you will have the tools, processes, and team at your disposal to stand ready for even the most devious ransomware attack.

TrickBot most commonly spreads via email spam campaigns and abuses the Server Message Block (SMB) Protocol to spread laterally throughout a network.

In 2020, Microsoft’s Digital Crime Unit and U.S. authorities launched a coordinated attack against the TrickBot gang. They claimed to have successfully crippled 94% of the botnet gang’s infrastructure.

However, as was expected, this incessant cybercriminal gang found a way to continue and grow their cybercriminal activities and become a more pervasive threat than ever.

Due to its changing nature, guarding against TrickBot attacks was already a significant challenge for security professionals.

As recent as earlier this year, the gang’s preferred method of distribution has been delivering infected Excel documents via email campaigns as well as a call-center ruse known as BazarCall. Via the latter strategy, targets are tricked into downloading “free software” under a trial period. To avoid being charged after the trial, they are directed to call a phone number to a phony call center. From here, the call center “agent” directs the user to a malicious website under the ruse of unsubscribing from the service.

The result is that the victim ends up with some type of malware on their system, most commonly the BazarLoader implant or TrickBot itself. Both malware programs are often used as initial access points to launch further malware infections, especially using ransomware.

Now, IBM’s X-Force has found that TrickBot has added two new distribution affiliates to their pipeline. These are dubbed Hive0106 (aka TA551) and Hive0107.

Malware distribution affiliates utilize software developed by a malware gang, like TrickBot, to spread and successfully deliver the malware. This frees up the malware developers to focus on improving their underlying code, leaving others to specialize in distributing it as widely and effectively as possible. Affiliates then get a cut of the earnings from any successful attack launched by them.

According to the IBM researchers, “This latest development demonstrates the strength of its connections within the cybercriminal ecosystem and its ability to leverage these relationships to expand the number of organizations infected with its malware.”

In the wake of this move, researchers noticed a considerable uptick in ransomware attacks, especially involving the new Conti code. It’s now believed that the Conti ransomware might be developed by the TrickBot gang and is one of their go-to RaaS (Ransomware as a service) malware.

The Conti code gained notoriety during the recent COVID-19 pandemic for affecting hospitals, destroying backups, and pursuing double-extortion tactics.

Hive0106 (aka TA551, Shathak, and UNC2420) is a malware distribution affiliate whose campaigns are based on hijacking email threads. They specialize in launching high-volume campaigns and can scale to massive proportions.

They rely on previous infections to be able to impersonate and insert themselves into ongoing email correspondence, masquerading as one of the legitimate email account holders.

The emails even contain the exact same email subject, although the entire thread is not included. The email itself is an archive file containing a malicious attachment and password. The HTA file contained in the malicious attachment then downloads Trickbot or BazarLoader.

Hive0107, on the other hand, gained notoriety for distributing the IcedID trojan, which used to be a rival to TrickBot. This distribution network primarily spoofs contact forms or legitimate company websites to send malicious links to employees and customers. By following the link, targets are usually threatened by legal action, for example, due to copyright infringement.

One of their newer TTPs is to launch a DDoS attack against a victim organization. They then send a link that purports to be from a source that has evidence of the attack and instructions on how to fix the situation.

Either way, the same process unfolds whereby a victim is groomed into downloading malicious files. This initial access point software then downloads BazarCall or Trickbot, which in turn downloads other malware, such as CobaltStrike or ransomware.

In its writeup, IBM offers several recommendations on preventing and dealing with threats posed by actors like TrickBot. This includes establishing and maintaining robust backup routines, implementing data theft prevention strategies, employing user behavior analytics, and enforcing multi-factor authentication. You can also read their whitepaper for more information on ransomware threats’ readiness, response, and remediation.

 

References

Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds