The TrickBot gang (aka ITG23 group) is working together with the TA551 (aka Shatak) threat group, IBM X-Force researchers have recently established in research. According to them, these two groups have been working together since July and deploying several malware, including Conti ransomware, on compromised systems.
The joint attack
In collaboration with TrickBot, TA551 is operating via remote malware distribution sites based in European countries such as Slovakia, the Netherlands, and Germany.
In a typical attack, the potential victim receives a password-protected archive in phishing emails.
This archive comes with malicious documents whose macros download and execute TrickBot and BazarBackdoor from the remote distribution site.
These malware carry out other malicious activities, such as reconnaissance, credential theft, and data exfiltration.
On average, reconnaissance and exfiltration have a duration of two days.
Reconnaissance and exfiltration
The operators of the campaign use the abandoned BazarBackdoor for enumerating users, domain administrators, shared resources, and shared computers, as well as for network reconnaissance.
They deploy the Cobalt Strike beacon on the compromised system and add scheduled tasks for persistence.
Hackers steal user credentials, Active Directory data, password hashes, and abuse anything exploitable to spread across the network.
Additionally, they fiddle with registry values to enable RDP connectivity and tamper with Windows Firewall rules using ‘netsh’ command.
The real-time monitoring feature of Windows Defender is disabled as well to stop any alert during the encryption process.
In the final stage before file encryption, Conti uses the Rclone tool to exfiltrate data and send it to a remote endpoint. Two days after the initial infection, Conti is deployed.
Connection with other groups
In a recent report by the French CERT, TA551 was discovered to be a collaborator of a recently identified ransomware group Lockean.
In that campaign, the group was sending phishing emails to distribute the QakBot trojan, which is known for spreading multiple ransomware strains such as ProLock, Egregor, and DoppelPaymer.
This clearly manifests that TA551 may be working with other ransomware groups, along with the ITG23.
The recent collaborations between Trickbot and TA551 show how threat groups help each other grow. It further increases the risks of destructive attacks and therefore organizations should be prepared with adequate security steps, including regular backup of important data at a secure remote location.