The ransomware actors behind the destructive malware called TrickBot have appeared again. It is now equipped with new strategies designed to increase its foundation by expanding its dispensation channels. The expansion is to deploy another ransomware called Conti.
According to a report, the orchestrator of this expansion is the ransomware gang known as Wizard Spider or ITG23. They have been identified to be partnering with other units such as Shathak, Hive0107, Hive0106, and Hive0105. Together, all these ransomware gangs are cooperating to accelerate the distribution of malware.
How do these ransomware gangs expand the TrickBot malware infection?
Researchers have noticed that these ransomware gangs are infecting corporate networks with malware by using bogus customer response forms, social engineering employees, and taking over email threads.
Since the introduction to the cybercrime world in late 2016, TrickBot has developed from a banking-based trojan into a modular Windows-based malware. This malware solution has been known for its resiliency and ability to establish its toolset and infrastructure despite the numerous efforts of cybersecurity firms to take it down.
Recently, malware attacks were initiated in the early part of this year. They relied on fake email campaigns delivering compromised Excel documents and a faux call centre named ‘Bazarcall’ to distribute the malware to corporates. The earliest intrusions of these ransomware gangs were recorded around the second week of June 2021. It was believed that a partnership of two cybercrime groups accelerated the distribution of hijacked emails and fake website customer inquiry forms on the organization web page spread the Cobalt Strike payloads.
The researcher also added that the method of this joint-cybercrime forces increased the amount of malware delivery attempts and, at the same time, diversified the delivery method resulting in more potential victims.
In conclusion, ITG23 has adjusted to the ransomware economy by developing Conti ransomware-as-a-service and using TrickBot and Bazarloader to acquire a niche for ransomware strikes. This new development shows the cyber law enforcement agencies the strength of the ransomware gang’s connections within the cybercriminal community and its skill to leverage these affiliations to expand the number of companies infected with its dangerous malware.
