Researchers at Intel 471 reported that the slowdown in malware activities is “primarily due to a huge shift by Trickbot’s operators, including working with the operators of Emotet. TrickBot, the famed Windows crimeware-as-a-service (CaaS) solution used by a variety of threat actors to deliver next-stage payloads like ransomware, looks to be in the middle of a shift, with no new activity since the beginning of the year.
Even as the malware’s command-and-control (C2) infrastructure continued to provide more plugins and web injects to infected nodes in the botnet, the last round of TrickBot attacks was recorded on December 28, 2021. The attacks, which began in November 2021, comprised an infection sequence that employed TrickBot to download and execute Emotet binaries, despite the fact that Emotet was frequently used to drop TrickBot samples previous to the shutdown.
Surprisingly, the drop in operation volume has overlapped with the TrickBot gang collaborating closely with the operators of Emotet, which reappeared late last year after a 10-month hiatus due to law enforcement efforts to combat the malware.
According to a separate investigation published last week by Advanced Intelligence (AdvIntel), the Conti ransomware gang is thought to have acqui-hired several elite TrickBot coders to retire the malware and replace it with improved variations like BazarBackdoor.
Additionally, after Emotet’s comeback in November 2021, Intel 471 discovered instances of TrickBot sending Qbot instals to the infected systems, highlighting the prospect of a behind-the-scenes shake-up to relocate to other platforms.
With TrickBot becoming increasingly visible to law enforcement in 2021, it’s maybe unsurprising that the threat actor behind it is actively attempting to change tactics and improve their protective mechanisms.
Finally the researchers concluded that ,” Perhaps the operators of TrickBot were forced to forsake it by a mix of unwelcome attention to TrickBot and the advent of other, improved malware platforms, “We believe the malware control infrastructure (C2) is being maintained because the remaining bots have some monetization potential.”