TrickBot Operators Collaborate with Shathak Attackers for the deployment of Conti Ransomware
Reading Time: 2 minutes

TrickBot operators collaborate with Shathak attackers for the deployment of Conti Ransomware on infected machines. 

Cybereason security analysts Aleksandar Milenkoski and Eli Salem, analyzing the recent malware distribution campaigns undertaken by the group said, “The implementation of TrickBot has evolved over the years, with recent versions of TrickBot implementing malware-loading capabilities. TrickBot has played a major role in many attack campaigns conducted by different threat actors, from common cybercriminals to nation-state actors.”

While IBM X-Force last month in a report said, TrickBot’s partnerships with other cybercrime gangs, including Shathak, to deliver proprietary malware. Shathak is a sophisticated cybercrime actor targeting end-users on a global scale, also tracked under the moniker TA551. It acts as a malware distributor by leveraging password-protected ZIP archives containing macro-enabled Office documents.deployment of Conti RansomwareAnother Trickbot gang called ITG23 or Wizard Spider is also responsible for developing and maintaining the Conti ransomware. Additionally, it also leases access to the malicious software to affiliates via a ransomware-as-a-service (RaaS) model.

Shathak is known for sending phishing emails that come embedded with malware-laced Word documents that ultimately lead to the deployment of TrickBot or BazarBackdoor malware. This is later used as a conduit to deploy Cobalt Strike beacons as well as the ransomware, only after conducting reconnaissance, lateral movement, credential theft, and data exfiltration activities.

The researchers from Cybereason were able to calculate the average Time-to-Ransom (TTR) of two days post the compromises. This is the time required from when the threat actor gains initial access into a network to the time the threat actor actually deploys the ransomware.

Earlier the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have reported more than 400 Conti ransomware attacks targeting the US. and international organizations as of September 2021.

The agencies have recommended enforcing a variety of mitigation measures, including “requiring multi-factor authentication (MFA), implementing network segmentation, and keeping operating systems and software up to date,” to security systems against Conti ransomware.

Related Articles:

Google pays hackers to exploit Patched Linux Kernel Flaws
New Shrootless bug – Attackers can Install Rootkit on macOS Systems
Facebook Plans To Shut Down Facial Recognition System and Delete Billions of Records