Latest TrickBot cyber-gang activity
In recent days, we have observed multiple new Conti Ransomware attacks associated with the presence of the TrickBot malware. The increase in attacks and ransomware distribution appears linked to new affiliate agreements established between threat groups Hive0106 and Hive0107 with the TrickBot gang, also known for the malware families BazarLoader and TrickBot.
The Malware
The TrickBot banking Trojan was first identified in 2016. Over time, the gang that developed it and from which the malware takes its name, TrickBot (also known as Wizard Spider), has expanded and improved the capabilities of its tool, transforming it into a multi-purpose malware capable of implanting backdoors, delivering additional payloads, and executing lateral movement and data exfiltration activities with extreme speed.
Recently, we tracked malware deployment through malspam emails that prompt victims to contact a call center. During the call, the victim is redirected to an operator tasked with guiding the user to download and execute the BazarLoader malware. This distribution technique is identified as BazarCall.
The New Affiliates
The new affiliates to the TrickBot gang have been observed in past campaigns for their use of IceID (Hive0107). Both groups target various Western countries, including the United States and Canada, as well as several European nations. Typically, malware deployment occurs through a password-protected zip file (attached to an email) containing HTA files or various scripts (such as WScript and JScript) whose execution leads to BazarLoader loader deployment. From there, a series of PowerShell commands and scripts, associated with Cobalt Strike beacons and code exploiting the PrintNightmare vulnerability to obtain administrative privileges, are executed. Our Cyber Threat Intelligence operations have tracked these TTPs across multiple intrusion sets, confirming the operational consistency of this attack chain.
Hive0106
The Hive0106 group is known for its spam campaigns and use of Email Hijacking techniques. This technique involves inserting malicious content into private conversations, masquerading as legitimate communications. Campaigns executed by this group have been observed across multiple sectors and geographic regions, utilizing various domains and sites to distribute malicious software.
Hive0107
The Hive0107 group, conversely, is known for its previous affiliation with IceID, which ended in the first half of 2021. Initial activity related to TrickBot and BazarLoader deployment dates to May 2021. Hive0107 attacks are characterized by the distribution of malicious links to users, typically messages containing information about legal actions against the target. Malicious software is distributed via cloud platforms and downloaded by the loader at the time of infection.
Recommendations
To counter this class of cyberattacks, organizations should implement Security Monitoring activities typically delivered through MDR (Managed Detection & Response) and Security Operation Center services. Two-factor authentication for access to sensitive data is increasingly necessary and urgent, though not sufficient in isolation. Employee awareness regarding risks associated with suspicious emails, links, and documents remains a foundational practice for reducing exposure to these threat vectors.
