Cybereason security specialists Aleksandar Milenkoski and Eli Salem reported about the malware distribution campaigns conducted by the group that, “The implementation of TrickBot has developed over the years, with newer versions of TrickBot implementing malware-loading capabilities.” “TrickBot has been a key component of numerous attack campaigns carried out by a variety of threat actors, ranging from regular cybercriminals to nation-state attackers.”
The TrickBot trojan’s developers are collaborating with the Shathak threat group to spread their wares, which would lead directly to the deployment of Conti ransomware on compromised devices.
The TrickBot gang, also known as ITG23 or Wizard Spider, is behind the Conti ransomware, as well as a ransomware-as-a-service (RaaS) model that allows affiliates to rent access to the dangerous software.
“Malicious actors use the TrickBot or BazarBackdoor malware that the Shathak group distributes to deploy additional malware, such as the Conti ransomware. In recent Conti actor attacks that we analyzed, we observed that Conti actors do not deploy ransomware immediately after initial compromise using TrickBot or BazarBackdoor.” reads the blogpost.
Shathak infection chains typically start with phishing emails containing malware-laced Word documents, which then lead to the deployment of TrickBot. It is used as a conduit to deploy Cobalt Strike beacons and the ransomware, but not before reconnaissance, lateral movement, credential theft, and data exfiltration.
According to the experts , TTR refers to the time between when a threat actors gets first access to a network and when the threat actors actually distributes ransomware. CISA and FBI announced on Sep 2021 as there have been 400 Conti Ransomware attacks targeting US and international Businesses.
Handle email messages that come from outside sources in a secure manner. Disabling hyperlinks and examining the content of email messages for phishing attempts are examples of this.
In Cybereason NGAV, turn on the Anti-Malware feature and select the Detect and Prevent modes.
Disable any RDP services that aren’t in use, safeguard any RDP services that are in use and check RDP log data for unusual activity on a regular basis.
Backup files to a secure remote location on a regular basis and develop a data recovery strategy. Regular data backups ensure that your data can be restored in the event of a ransomware attack.
Use strong passwords, rotate them on a regular basis, and use multi-factor authentication whenever possible.