Press ESC to close

Trickbot Rising — Gang doubles down on infection efforts to amass network Footholds

CategoryDetails
Threat ActorsITG23 (TrickBot Gang/Wizard Spider), Hive0105 (BazarCall), Hive0106 (TA551/Shathak/UNC2420), Hive0107
Campaign OverviewAggressive malware distribution expansion targeting enterprises with Trickbot, BazarLoader, and ransomware like Conti. Partnering with affiliates for broader delivery methods including email threads, fake customer response forms, and fraudulent call centers.
Target RegionsPrimarily United States, with activity also observed in Canada and Europe.
MethodologyHijacked email threads, phishing emails, fake call centers (BazarCall), contact form exploitation, malicious Excel documents, LNK files, JS scripts, and fake cancellation/transaction themes.
Product TargetedEnterprise systems, using initial infections (Trickbot/BazarLoader) to stage ransomware (Conti).
Malware ReferenceTrickbot, BazarLoader, BazarBackdoor, Conti Ransomware, Ryuk, Cobalt Strike, Anchor backdoor.
Tools UsedMalicious macros, HTML applications (HTA), JScript, PowerShell, Cobalt Strike, contact form abuse.
Vulnerabilities ExploitedPrintNightmare (CVE-2021-34527).
TTPsCredential theft, lateral movement, phishing, fake customer service lures, modular malware updates, cloud-hosted malware delivery, ransomware-as-a-service (RaaS).
AttributionITG23 operates from Eastern Europe, adapts to disruptions (e.g., U.S. Cyber Command and Microsoft actions in 2020), partners with other threat actors.
RecommendationsOffline backups, redundancy in backup storage, segmentation of backup zones, monitoring unusual activities, employee awareness training.
SourceSecurity Intelligence

Read full article: Read More

Disclaimer: The above summary has been generated by an AI language model.

Source: Advanced Threats – Security Intelligence

Published on: October 13, 2021

Leave a Reply

Your email address will not be published. Required fields are marked *