DecryptedTech

Tuesday05 July 2022

Trickbot Shuttering its Infrastructure as it moves to New Methods and Malware


Reading time is around minutes.

It looks like the group behind Trickbot, the Swiss Army Knife of Malware as service for Windows is shutting down the framework and infrastructure behind the “solution”. According to research groups that have been tracking the campaign the disappearance there are several factors that have led up to this. One of the most recent changes appears to be a shift in efforts to a new malware format and potentially being “acquired” by another malware operator.

The new partnership/acquisition appears to be with the same group behind Emotet. As reported by Intel 471, the group has not registered any new campaigns since December 28th, 2021. The C2 infrastructure and botnet were still functional and working with existing campaigns and even had new “add-ins” associated with it. Now the news is that as of yesterday, Thursday Feb 24th Trickbot is gone. Before you pop the champaign, this does not mean the group is going away. It just means that they know that the Trickbot tool has run its course and are moving to other tools.

When Trickbot hit the internet as a financial trojan it quickly made the rounds. It was so successful that the developers began adding on more and more features until it became an extremely prevalent method of deploying 2nd stage malware. However, as its popularity and reach increased so did the response to the theat. This led to efforts from Microsoft, US Cyber Command and others to go after the infrastructure behind the notorious malware.

As with any business the operators of Trickbot began development on a new product and the infrastructure behind it, to the tune of an estimated $20 Million. Reports also indicate that the group (often attributed to a Russian criminal organization tracked as Wizard Spider) has been hiring new engineers and talent to help them adapt and change their product. One of these projects could be the relatively new BazarLoader in addition to them partnering with the team behind Emotet and the group behind Conti.

The consolidation of efforts in groups like this, while not unheard of, is a bit concerning. You have three major groups that have worked together in the past, but now appear to be actively integrated. The level of talent and targets have increased significantly with this new “merger” we can only expect to see even more sophisticated malware to come out from these teams. Malware and Cybercrime as a service is not going anywhere, it is just going to evolve. Security teams and security tool providers will also need to evolve to meet these new threats. It also means that a focus on the “basics” of security need to remain including patching and configuration reviews to ensure that there are few holes that attackers can use to pivot into your environment. Organizations need to focus on building a solid “all-in” security culture to reduce the chances that human error does enter the equation as well.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.