10150931055?profile=RESIZE_400xCyber threat investigators believe the infamous TrickBot malware has reached its limits, but its development team appears to have been “acquired” by the Conti ransomware gang, which has been thriving amid recent crackdowns.  TrickBot has been around since 2016.  It was initially a banking trojan designed to steal financial data, but it evolved into a modular stealer that could target a wide range of information.  See:  https://redskyalliance.org/xindustry/trickbot-has-learned-more-tricks

TrickBot has survived a takedown attempt and the arrests of some developers.  It also helped the Emotet malware get back in the game following a law enforcement action that disrupted its global operation in January 2021.  TrickBot developers have also collaborated with the creators of the Ryuk and Conti ransomware.[1]

The Conti ransomware emerged in 2020 and cybercriminals have used it in attacks against many organizations worldwide.  In these attacks, Conti operators not only encrypt files on compromised systems, but also steal data that they can threaten to leak if the victim refuses to pay a ransom.  The cybercriminals are believed to have made hundreds of millions of dollars.  More than a dozen victims are listed on Conti’s Tor-based leak website at the time of writing, including British snacks company KP Snacks.  The hackers have leaked hundreds of megabytes of data allegedly stolen from the firm.  See:  https://redskyalliance.org/xindustry/resurgence-of-conti-ransomware

The Conti group appears to have prospered and they have reached “crime syndicate” status during a time when law enforcement organizations worldwide have increasingly cracked down on cybercrime.  Russia claims to be investigating these cyber groups too. (Cough, cough, cough…)

Its relationship with TrickBot was one of the primary reasons for the rapid rise of Conti, possibly even for its survival.  The Emotet-TrickBot-Ryuk supply chain was extremely resilient.  With a stable and high-quality supply of accesses coming from a single organized source, Conti was able to maintain its image without any major structural changes.  When the rest of the ransomware gangs were massively hiring random affiliates and delegating them to breach corporate networks, Conti was working in a trust-based, team-based manner.

Investigators believe that Conti at one point became “the sole end-user of TrickBot’s botnet product,” which ultimately led to TrickBot being essentially acquired by the Conti group by the end of 2021.  TrickBot is still operational, but the vast number of indicators of compromise (IoCs) associated with the malware have made it easy to detect and it’s no longer used by Conti.  While the TrickBot malware has reached its limits, its “elite developers and managers” are very useful to the Conti operation.

The TrickBot group has been working on BazarBackdoor, a stealthier malware that is currently used in attacks aimed at high-value targets.  It is suspected that the people who have led TrickBot throughout its long run will not simply disappear, rather they will form new partnerships and alliances.     

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization who has long collected and analyzed cyber indicators as the above links indicate.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings


[1] https://www.securityweek.com/conti-ransomware-acquires-trickbot-it-thrives-amid-crackdowns

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance