Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds

IBM X-Force has been tracking the activity of ITG23, a prominent cybercrime gang also known as the TrickBot Gang and Wizard Spider. Researchers are seeing an aggressive expansion of the gang’s malware distribution channels, infecting enterprise users with Trickbot and BazarLoader. This move is leading to more ransomware attacks — particularly ones using the Conti ransomware.

As of mid-2021, X-Force observed ITG23 partner with two additional malware distribution affiliates — Hive0106 (aka TA551) and Hive0107. These and other cybercrime vendors are infecting corporate networks with malware by hijacking email threads, using fake customer response forms and social engineering employees with a fake call center known as BazarCall, which is tracked as Hive0105. In one of their recent BazarCall campaigns, ransomware distributors sent fake emails announcing the recipient had purchased tickets for a Justin Bieber concert tour. ITG23 is adept at using its distribution channels to increase scale and drive profits.

Game On

In recent months, the cybercriminal organization that IBM X-Force threat intelligence tracks as ITG23, also known as Trickbot and Wizard Spider, has expanded the number and variety of channels it uses to distribute its key initial payloads. In this article, IBM X-Force, together with Cylera analysts, addresses the growing number of campaigns that ITG23 is using to deliver proprietary malware, including distribution through other cybercrime groups that X-Force tracks as Hive0105, Hive0106 and Hive0107.

Earlier this year, ITG23 primarily relied on email campaigns delivering Excel documents and a call center ruse known as BazarCall to deliver its payloads to corporate users. However, starting around June 20 ..

Support the originator by clicking the read the rest link below.