Security News > 2021 > October > Attackers Behind Trickbot Expanding Malware Distribution Channels
The operators behind the pernicious TrickBot malware have resurfaced with new tricks that aim to increase its foothold by expanding its distribution channels, ultimately leading to the deployment of ransomware such as Conti.
The threat actor, tracked under the monikers ITG23 and Wizard Spider, has been found to partner with other cybercrime gangs known Hive0105, Hive0106, and Hive0107, adding to a growing number of campaigns that the attackers are banking on to deliver proprietary malware, according to a report by IBM X-Force.
"These and other cybercrime vendors are infecting corporate networks with malware by hijacking email threads, using fake customer response forms and social engineering employees with a fake call center known as BazarCall," researchers Ole Villadsen and Charlotte Hammond said.
While attacks mounted earlier this year relied on email campaigns delivering Excel documents and a call center ruse dubbed "BazaCall" to deliver malware to corporate users, recent intrusions beginning around June 2021 have been marked by a partnership with two cybercrime affiliates to augment its distribution infrastructure by leveraging hijacked email threads and fraudulent website customer inquiry forms on organization websites to deploy Cobalt Strike payloads.
Once clicked, the link instead downloads a ZIP archive containing a malicious JavaScript downloader that, in turn, contacts a remote URL to fetch the BazarLoader malware to drop Cobalt Strike and TrickBot.
"ITG23 has also adapted to the ransomware economy through the creation of the Conti ransomware-as-a-service and the use of its BazarLoader and Trickbot payloads to gain a foothold for ransomware attacks," the researchers concluded.