Recently, the TrickBot (ITG23) and Shatak (TA551) gangs have formed an alliance to deploy the Conti ransomware on targeted devices. The Shatak operation partnered with the TrickBot operators to develop phishing campaigns that download and infiltrate victims with malware.
Researchers discovered that the team-up of these two malicious actors began working side by side last July. The researchers also believed that their team-up produced good results since their cyberespionage has continued up to this day.
The analyst stated that the intrusion cycle starts with a phishing email sent by Shatak that carries a password-protected file containing a compromised document.
According to a report, Shatak usually utilises reply-chain emails exfiltrated from past victims and includes password-protected attachments. These attachments consist of scripts that execute base-64 code to download and install the TrickBot malware from a distant site.
After a successful deployment of TrickBot, it takes over by deploying a Cobalt Strike signal on the infected system, putting it to the scheduled tasks for persistence. The malicious threat duo then utilises the BazarBackdoor for network retrieval, domain admins, shared computer, shared resources, and enumerating users. Then they exfiltrate user credentials, active directory data, password hashes, and anything they can abuse to spread inside the network.
After harvesting all vital information from the victimised network, the malicious threat duo will deploy the Conti ransomware to encrypt the infected devices.
Shatak and TrickBots’ collaboration might breed new team-ups.
Recently, reports from an emergency response team from France reveal that Shatak also collaborates with the ransomware gang Lockean. Because of this report, many cybersecurity firms believed that Shatak might have been partnering with different groups before except TrickBot and Lockean.
The most potent way to deal with these attacks is to give extensive training for employees on the risks of phishing emails.
In addition, administration heads should introduce a multi-factor authentication system on accounts and constantly monitor the event logs for unusual configuration changes.
An essential safety measure that experts recommend is by continually backing up crucial data to an integral remote location plus taking the backups offline so malicious threat operators cannot trace them.