Summary 

TrickBot Gang also known as Wizard Spider and ITG23 have resurfaced with new distribution channel infecting users with Trickbot and BazarLoader. The threat actor is found to be partnered up with Hive0105, Hive0106 (aka TA551) and Hive0107.

“These and other cybercrime vendors are infecting corporate networks with malware by hijacking email threads, using fake customer response forms and social engineering employees with a fake call center known as BazarCall, which is tracked as Hive0105. In one of their recent BazarCall campaigns, ransomware distributors sent fake emails announcing the recipient had purchased tickets for a Justin Bieber concert tour. ITG23 is adept at using its distribution channels to increase scale and drive profits.” Said researchers Ole Villadsen and Charlotte Hammond on the report by IBM X-Force.

In early part of the year, the threat actors relied on email campaigns delivering Excel documents and a call center ruse dubbed “BazaCall” in a malware campaign which delivers malware to corporate users. In around June 2021 the group start its partnership with the two cybercrime affiliates where they hijacked email threads and fraudulent website customer inquiry forms to deploy Cobalt Strike payloads. This partnership increased the volume of messages and helped in expanding the delivery methods.

“Starting in late August 2021, Hive0107 began using a new ruse, informing the targeted company that its website has been performing distributed denial of service (DDoS) attacks on its servers and providing a link with the supposed evidence and how to ‘fix’ the problem.” When the user clicks the link a ZIP archive containing JavaScript (JS) downloader (titled ‘Stolen Images Evidence.js’ or ‘DDoS attack proof and instructions on how to fix it.js.’) will get downloaded. “The JS file contacts a URL on newly created domains to download BazarLoader, which has been observed subsequently downloading Cobalt Strike and a PowerShell script to exploit the PrintNightmare vulnerability.”

“ITG23 has also adapted to the ransomware economy through the creation of the Conti ransomware-as-a-service (RaaS) and the use of its BazarLoader and Trickbot payloads to gain a foothold for ransomware attacks. This latest development demonstrates the strength of its connections within the cybercriminal ecosystem and its ability to leverage these relationships to expand the number of organizations infected with its malware.” concludes the report.

Read the full report by IBM X-Force from here.