The operators of the TrickBot Trojan are working with the Shathak threat group to distribute their software, ultimately leading to the deployment of Conti ransomware on infected machines.
In a report analyzing the group’s recent malware distribution campaigns, Cybereason security analysts Aleksandar Milenkoski and Eli Salem said: “The implementation of TrickBotover the yearsIt is constantly evolving, and recent versions of TrickBot implement malware loading capabilities. “TrickBot has played a significant role in many attacks conducted by different threat actors, ranging from common cybercriminals to nation-state actors. "
The latest report builds on an IBM X-Force report last month that revealed TrickBot's partnerships with other cybercriminal gangs, including Shathak, to deliver proprietary malware. Shathak, also tracked under the moniker TA551, is a sophisticated cybercriminal who targets end users globally, acting as a malware distributor by leveraging password-protected ZIP archives containing macro-enabled Office documents.
The TrickBot gang, known as ITG23 or Wizard Spider, is responsible for developing and maintaining the Conti ransomware, in addition to leasing access to the malware to affiliates through a ransomware-as-a-service (RaaS) model.
Infection chains involving Shathak typically involve sending phishing emails embedded with malware-laden Word documents, ultimately leading to the deployment of TrickBot or BazarBackdoor malware, which is then used as a conduit to deploy Cobalt Strike beacons and ransomware, but not Before conducting reconnaissance, lateral movement, credential theft and data breach activities.
Cybereason researchers said they observed an average time to ransom (TTR) of two days after a breach, representing the time from when a threat actor initially gains access to a network to when the threat actor actually deploys the ransomware.
The findings come as the U.S.cyber securityand the Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI)ReportAccording to the report, as of September 2021, no less than 400 Conti ransomware attacks have occurred against the United States and international organizations.
To protect systems from Conti ransomware, the agencies recommend implementing various mitigation measures, including "requiring multi-factor authentication (MFA), implementing network segmentation, and keeping operating systems and software up to date."
Original article, author: CNCSO, if reprinted, please indicate the source: https://cncso.com/en/trickbot-operator-works-with-shathak-attacker-to-develop-conti-blackmail-software.html
