Category | Details |
---|---|
Threat Actors | ITG23 (TrickBot Gang/Wizard Spider), Hive0105 (BazarCall), Hive0106 (TA551/Shathak/UNC2420), Hive0107 |
Campaign Overview | Aggressive malware distribution expansion targeting enterprises with Trickbot, BazarLoader, and ransomware like Conti. Partnering with affiliates for broader delivery methods including email threads, fake customer response forms, and fraudulent call centers. |
Target Regions | Primarily United States, with activity also observed in Canada and Europe. |
Methodology | Hijacked email threads, phishing emails, fake call centers (BazarCall), contact form exploitation, malicious Excel documents, LNK files, JS scripts, and fake cancellation/transaction themes. |
Product Targeted | Enterprise systems, using initial infections (Trickbot/BazarLoader) to stage ransomware (Conti). |
Malware Reference | Trickbot, BazarLoader, BazarBackdoor, Conti Ransomware, Ryuk, Cobalt Strike, Anchor backdoor. |
Tools Used | Malicious macros, HTML applications (HTA), JScript, PowerShell, Cobalt Strike, contact form abuse. |
Vulnerabilities Exploited | PrintNightmare (CVE-2021-34527). |
TTPs | Credential theft, lateral movement, phishing, fake customer service lures, modular malware updates, cloud-hosted malware delivery, ransomware-as-a-service (RaaS). |
Attribution | ITG23 operates from Eastern Europe, adapts to disruptions (e.g., U.S. Cyber Command and Microsoft actions in 2020), partners with other threat actors. |
Recommendations | Offline backups, redundancy in backup storage, segmentation of backup zones, monitoring unusual activities, employee awareness training. |
Source | Security Intelligence |
Read full article: Read More
Disclaimer: The above summary has been generated by an AI language model.
Leave a Reply