Trickbot and TA551 Are Buddies

The joint attack

• In a typical attack, the potential victim receives a password-protected archive in phishing emails. 
• This archive comes with malicious documents whose macros download and execute TrickBot and BazarBackdoor from the remote distribution site. 
• These malware carry out other malicious activities, such as reconnaissance, credential theft, and data exfiltration.
• On average, reconnaissance and exfiltration have a duration of two days.

Reconnaissance and exfiltration

• The operators of the campaign use the abandoned BazarBackdoor for enumerating users, domain administrators, shared resources, and shared computers, as well as for network reconnaissance. 
• They deploy the Cobalt Strike beacon on the compromised system and add scheduled tasks for persistence. 
• Hackers steal user credentials, Active Directory data, password hashes, and abuse anything exploitable to spread across the network.
• Additionally, they fiddle with registry values to enable RDP connectivity and tamper with Windows Firewall rules using ‘netsh’ command.
• The real-time monitoring feature of Windows Defender is disabled as well to stop any alert during the encryption process.
• In the final stage before file encryption, Conti uses the Rclone tool to exfiltrate data and send it to a remote endpoint. Two days after the initial infection, Conti is deployed.

Connection with other groups

• In that campaign, the group was sending phishing emails to distribute the QakBot trojan, which is known for spreading multiple ransomware strains such as ProLock, Egregor, and DoppelPaymer.
• This clearly manifests that TA551 may be working with other ransomware groups, along with the ITG23.

Conclusion