The TrickBot gang, responsible for creating BazarLoader, the Conti ransomware, and the infamous TrickBot trojan, has become even more powerful by expanding its distribution tactics. The gang now represents a real threat to larger enterprises.
TrickBot achieved this by adding two additional distribution affiliates in Hive0106 (or TA551) and Hive0107. They are now carrying out escalating ransomware attacks on corporations, particularly through the Conti ransomware.
Affiliate 1: Hive0106
The most important partnership for TrickBot’s recent development, according to IBM researchers, is the one with spamming powerhouse – Hive0106. This group specializes in massive amounts of spamming and has recently been looking to partner up with powerful cybercrime groups.
Their campaigns begin with hijacking email threads, which are stolen during prior infections. Then, they are able to jump into ongoing correspondences and send mail pretending to be the right account holder.
“The emails include the email thread subject line but not the entire thread,” according to an IBM X-Force writeup. “Within the email is an archive file containing a malicious attachment and password.”
The malicious attachment includes an HTML application (HTA). “HTA files contain hypertext code and may also contain VBScript or JScript scripts, both of which are often used in boobytrapped macros,” according to the analysis. “The HTA file then downloads Trickbot or BazarLoader, which has subsequently been observed downloading Cobalt Strike.”
Cobalt Strike is a legitimate pen-testing tool that a lot of hackers use to help with lateral movement and is often a precursor to a ransomware attack.
Affiliate 2: Hive0107
TrickBot managed to hook up with another prominent affiliate this past summer. During the first half of 2021, Hive 0107 helped distribute the IcedID trojan before transferring over to Trickbot while retaining their patented contact form distribution method.
With this method, Hive0107 usually gathers company email addresses and sends malicious emails targeting unwitting employees. The emails typically threaten legal action for some reason, such as using copyrighted images and include a link for “evidence.”
In the newer campaigns, however, Hive0107 is orchestrating DDoS attacks to destabilize the victim organization’s network. They then send out emails claiming to “show them how to fix DDoS attacks.”
Whichever tactic they use, their emails contain a link hosted on a legitimate storage website. “Clicking on the link downloads a ZIP archive containing a malicious JScript (JS) downloader titled ‘Stolen Images Evidence.js’ or ‘DDoS attack proof and instructions on how to fix it.js,’” researchers explained. “The JS file contacts a URL on newly created domains to download BazarLoader.”
BazarLoader then goes on to download Cobalt Strike and a PowerShell script exploiting the PrintNightmare vulnerability.
TrickBot Rise to the Top
With these new developments and increased sophistication, TrickBot has proven to be among cybercrime’s elite. “This latest development demonstrates the strength of its connections within the cybercriminal ecosystem and its ability to leverage these relationships to expand the number of organizations infected with its malware,” IBM researchers said.
Starting as a banking trojan in 2016, TrickBot has evolved into a legitimate threat for many organizations. It is capable of various backdoor and data-theft functions, payloads and can spread quickly throughout an enterprise.