TrickBot’s top members are now believed to be working under the control of the Conti ransomware group.

What has been found?

  • Researchers from AdvIntel found that in 2021, Conti became the only beneficiary of TrickBot’s supply of high-quality network accesses. 
  • In late-2021, Conti became a subsidiary instead of a partner.

The reason behind this development could be the multiple takedown attempts on the TrickBot infrastructure.

The claims

Conti’s main admin stated that they have taken complete control over TrickBot.
  • Based on internal Conti conversations accessed by researchers, BazarBackdoor developers have moved from being part of TrickBot’s operation to a separate tool whose development is managed by Conti.
  • However, the bot is dead; and moving forward they will use BazarBackdoor as a primary tool for initial access rather thanTrickBot.

Why bot possibly disappeared?

As TrickBot became easily detectable by antivirus, the attacker started using its new tool BazarBackdoor, which is developed specifically for targeting high-value targets stealthily to obtain initial access to networks.

The bottom line

The recent finding shows that the TrickBot operation is not finished and just moved under the new management of the Conti group. The new management may improve the group’s capabilities further, making it an even more fearsome threat.

Cyware Publisher