The infamous Trickbot group is rising again; this time by expanding its malware distribution channels for spreading Trickbot and BazarLoader. The recent rise is followed by an increase in other malware attacks, especially Conti ransomware.

Partnership pumps malware usage

Since June, researchers have observed an increase in Trickbot/BazarLoader deliveries. 
  • Recently the Trickbot group has joined hands with several malware distribution partners, including Hive0105, Hive0106, and Hive0107.
  • Hive0107 and Hive0106 infect organizational networks by hijacking email threads, using fake customer response forms, and social engineering employees using a fake call center, known as BazarCall, or Hive0105.
  • Meanwhile, in the second half of 2021, the surge in Conti ransomware attacks was attributed majorly to the rise in Trickbot and BazarLoader activity.

Let’s discuss partners

  • The Hive0106 group, that started the propagation of Trickbot malware with ‘zev’ gtag in June switched to BazarLoader around mid-to-late July. It spread Trickbot using the ‘zem’ and ‘zvs’ gtags in September and October, respectively.
  • Hive0107 started propagating the malware between mid-May and mid-July and used the ‘mod’ gtag. It soon started deploying BazarLoader payload against organizations in the U.S. and somewhat in Canada and Europe.
  • Hive0105 or Bazarcall is one of the most infamous distributors of BazarLoader, and sometimes Trickbot. Launched in February, its use would often lead to data exfiltration and ransomware deployments such as Conti.

Other notable affiliations

Apart from the above, other campaigns have been spotted spreading Trickbot and BazarLoader. 
  • IBM researchers have spotted a small number of campaigns using the fat1, sat, and soc1 gtags. These campaigns use malicious Office, LNK, and JS downloaders distributed as email attachments.
  • These malicious files are believed to be commercial and sourced from other malware vendors. In some cases, Zeppelin ransomware was being spread that had no connection to the Trickbot group.
  • Researchers could not confirm whether the delivery of these malicious emails is controlled by Trickbot personnel or if other associates such as Hive0106/Hive0107 are helping.
  • Netwalker and Cherry are also presumed to be working with the Trickbot gang. Around a year ago, they were spreading Trickbot using ‘net’/‘che’ gtags.

Ending notes

Trickbot has emerged from the dead and is expanding at a very rapid pace by forming new partnerships. For better protection, organizations are recommended to maintain reliable backups and proactive strategies to stop unauthorized data theft. Additionally, enabling multi-factor authentication is a good strategy to follow.

Cyware Publisher