The cyber-criminals behind the infamous Trick Bot trojan have signed 2 additional distribution affiliates, dubbed Hive0106 (aka TA551) & Hive0107 by IBM X-Force. This enables escalating ransomware to hit corporations, especially using the Conti ransomware.
The group – which also created Bazar Loader & the Conti ransomware – has improved its distribution tactics to threaten enterprises more than ever.
The development also shows the Trick Bot gang’s increasing sophistication & standing in the cybercrime underground, IBM researchers stated:
“This latest development demonstrates the strength of its connections within the cyber-criminal ecosystem & its ability to use these relationships to expand the number of organisations infected with its malware.”
Banking Trojan
The Trick Bot malware started life as a banking trojan back in 2016, but it quickly evolved to become a modular, full-service threat. It’s capable of a range of backdoor & data-theft functions, can deliver additional payloads, & has the ability to quickly move laterally throughout an enterprise.
According to IBM, the Trick Bot gang (aka ITG23 or Wizard Spider) has now added powerful additional distribution tactics to its tricks, thanks to the 2 new affiliates.
Bazar Call
“Earlier this year, the Trick Bot gang primarily relied on email campaigns delivering Excel documents & a call-centre ruse known as Bazar Call to deliver its payloads to corporate users,” IBM researchers stated in a Wed. analysis.
“However…the new affiliates have added the use of hijacked email threads & fraudulent website customer-inquiry forms. This move not only increased the volume of its delivery attempts but also diversified delivery methods with the goal of infecting more potential victims than ever.”
Trial Subscriptions
Bazar Call is a distribution tactic that starts with emails offering “trial subscriptions” to various services – with a phone number listed to call customer service to avoid being charged money. If someone calls, a call-centre operator answers & directs victims to a website to purportedly unsubscribe from the service: a process the “agent” walks the caller through.
In the end, vulnerable computers become infected with malware – usually the Bazar Loader implant, which is another malware in the Trick Bot gang’s arsenal, & sometimes Trick Bot itself. These types of attacks have continued into the Autumn, enhanced by the fresh distribution approaches, according to IBM.
Ransomware Economy
Meanwhile, since 2020, the Trick Bot gang has been heavily involved in the ransomware economy, with the Trick Bot malware acting as an initial access point in campaigns. Users infected with the trojan will see their device become part of a botnet that attackers typically use to load the 2nd-stage ransomware variant.
The operators have developed their own ransomware as well, according to IBM: the Conti code, which is notorious for attacking hospitals, destroying backup files & pursuing double-extortion tactics.
Conti Ransomware Attacks
IBM noted that since the 2 affiliates came on board in June, there has been a corresponding increase in Conti ransomware attacks – not likely a coincidence.
“Ransomware & extortion go hand in hand nowadays,” according to the firm’s analysis.
“The Trick Bot gang has also adapted to the ransomware economy through the creation of the Conti ransomware-as-a-service (RaaS) & the use of its Bazar Loader & Trick bot payloads to gain a foothold for ransomware attacks.”
Affiliate Hive0106
IBM X-Force researchers noted that the most important development since June for the distribution of the Trick Bot gang’s various kinds of malware is the newly minted partnership with Hive0106 (aka TA551, Shathak & UNC2420).
Hive0106 specialises in massive volumes of spamming & is a financially motivated threat group that has lately been looking to partner with elite cybercrime gangs, the firm outlined.
Hive0106 campaigns begin with hijacking email threads: a tactic pioneered by its frenemy Emotet. The tactic involves jumping into ongoing correspondence to respond to an incoming message under the guise of being the rightful account holder.
Prior Infections
These existing email threads are stolen from email clients during prior infections. Hive0106 is able to mount these campaigns at scale, researchers observed, using newly created malicious domains to host malware payloads.
“The emails include the email thread subject line but not the entire thread,” according to IBM X-Force’s writeup. “Within the email is an archive file containing a malicious attachment & password.”
In the new campaigns, that malicious document drops an HTML application (HTA) file when macros are enabled.
Hypertext Code
“HTA files contain hypertext code & may also contain VBScript or JScript scripts, both of which are often used in boobytrapped macros,” according to the analysis. “The HTA file then downloads Trick Bot or Bazar Loader, which has subsequently been observed downloading Cobalt Strike.”
Cobalt Strike is the legitimate pen-testing tool that’s often abused by cyber-criminals to help with lateral movement. It is often a preliminary to a ransomware infection.
Iced ID Trojan
Another prominent affiliate that linked up to the Trick Bot gang this summer is Hive0107, which spent the 1st half of the year distributing the Iced ID trojan (a Trick Bot rival). It switched to Trick Bot in May, using its patented contact form distribution method.
Analysts “observed Hive0107 with occasional distribution campaigns of the Trick Bot malware detected mid-May until mid-July 2021…after that period, Hive0107 switched entirely to delivering Bazar Loader,” according to the researchers, who added that most of the campaigns target organisations in the US &, to a lesser extent, Canada & Europe.
Malicious Links
Hive0107 is well-known for using customer contact forms on company websites to send malicious links to unwitting employees. Usually, the messages it sends threaten legal action, according to the analysis.
Before, the cyber-criminals used copyright infringement as a tactic: “The group typically enters information into these contact forms — probably using automated methods — informing the targeted organisation that it has illegally used copyrighted images & includes a link to their evidence,” IBM X-Force researchers explained.
Different Lure
In the new campaigns, Hive0107 is using a different lure, the researchers stated, claiming that the targeted company has been performing distributed denial-of-service (DDoS) attacks on its servers. Then, the messages provide a malicious link to purported evidence & how to remedy the situation.
The group also sends the same content via email to organisation staff – an additional switch-up in tactics.
The links are hosted on legitimate cloud storage services where the payload lives, according to the analysis.
ZIP Archive
“Clicking on the link downloads a .ZIP archive containing a malicious JScript (JS) downloader titled ‘Stolen Images Evidence.js’ or ‘DDoS attack proof & instructions on how to fix it.js,’” researchers explained. “The JS file contacts a URL on newly created domains to download Bazar Loader.”
Bazar Loader then goes on to download Cobalt Strike & a PowerShell script to exploit the Print Nightmare vulnerability (CVE-2021-34527), they added & sometimes Trick Bot.
“IBM suspects that access achieved through these Hive0107 campaigns is ultimately used to initiate a ransomware attack,” the researchers noted.
Cyber-Criminal Elite
The new affiliate campaigns are evidence of the Trick Bot gang’s continuing success breaking into the circle of the cyber-criminal elite, the firm concluded – a trend IBM X-Force expects to continue into next year.
“The gang started out aggressively back in 2016 & has become a cyber-crime staple in the Eastern European threat-actor arena,” researchers explained. “In 2021, the group has repositioned itself among the top of the cyber-criminal industry.”
They added, “The group already has demonstrated its ability to maintain & update its malware & infrastructure, despite the efforts of law enforcement & industry groups to take it down.”
How to Protect Companies When Trick Bot Hits
To reduce the chances of suffering catastrophic damage from an infection (or a follow-on ransomware attack), IBM recommends taking the following steps:
- Ensure you have backup redundancy, stored separately from network zones attackers could access with read-only access. The availability of effective backups is a significant differentiator for organisations & can support recovery from a ransomware attack.
- Implement a strategy to prevent unauthorized data theft, especially as it applies to uploading substantial amounts of data to legitimate cloud storage platforms that attackers can abuse.
- Employ user-behaviour analytics to identify potential security incidents. When triggered, assume a breach has taken place. Audit, monitor & quickly act on suspected abuse related to privileged accounts and groups.
- Employ multi-factor authentication on all remote access points into an enterprise network.
- Secure or disable remote desktop protocol (RDP). Multiple ransomware attacks have been known to exploit weak RDP access to gain initial entry into a network.
