TrickBot Gang Switches to New Malware
Reading Time: 2 minutes

TrickBot gang switches to new malware tactics, the group is known for using the infamous Windows crimeware-as-a-service (CaaS) to carry out numerous cyber attacks. 

TrickBot Gang has been dormant since the start of the year and now looks like it has changed tactics with new malware. The threat actors appear to be undergoing a transition of sorts. 

According to Intel471, the silence in the malware campaigns is partially due to a big shift from Trickbot’s operators, including working with the operators of Emotet.

December 28, 2021, was the last time TrickBot was involved in a cyberattack incident. Though the command-and-control (C2) infrastructure associated with the malware has continued to serve additional plugins and web injects to infected nodes in the botnet.

Though there has been a decrease in the volume of the campaign on the other hand the TrickBot gang working closely with the operators of Emotet, reappeared on the scene late last year after a 10-month-long break following law enforcement efforts to tackle the malware.

The attacks in November 2021, featured an infection sequence used by TrickBot as a conduit to download and execute Emotet binaries. Prior to the takedown, Emotet was often used to drop TrickBot samples.

According to the researchers, “It’s likely that the TrickBot operators have phased TrickBot malware out of their operations in favor of other platforms, such as Emotet. TrickBot, after all, is relatively old malware that hasn’t been updated in a major way.”

The researchers added instances of TrickBot pushing Qbot installs to the compromised systems shortly after Emotet’s return in November 2021. Thus raising suspicions of a behind-the-scenes shake-up to migrate to other platforms.

Last year TrickBot came under the radar of law enforcement resulting in the threat actors trying to shift tactics and update their defensive measures.

In yet another report published by Advanced Intelligence (AdvIntel) last week, the Conti ransomware cartel is believed to have acquired-hired several elite developers of TrickBot to retire the malware in favor of enhanced tools such as BazarBackdoor.

The researchers noted, “Perhaps a combination of unwanted attention to TrickBot and the availability of newer, improved malware platforms has convinced the operators of TrickBot to abandon it. We suspect that the malware control infrastructure (C2) is being maintained because there is still some monetization value in the remaining bots.”

Related Articles:
Organizations Need To Increase Website Security After Russian Attack
Hackers use Dridex Malware and Entropy Ransomware on Hacked Computers
APT10 Hacking group targets Taiwanese financial firms