TrickBot Gang Shifted Its Focus To “Systematic” Targeting Ukraine


In what has been described as an “unprecedented” twist, the operators of the TrickBot malware have resorted to systematic attacks on Ukraine since the start of the war in late February 2022.

The group is said to have orchestrated at least six phishing campaigns targeting targets aligned with the interests of the Russian state, with the emails acting as a lure for the delivery of malicious software such as IcedID, CobaltStrike, AnchorMail and Meter Preter

The financially motivated cybercrime gang, which goes by the names ITG23, Gold Blackburn and Wizard Spider, is known for developing the banking trojan TrickBot and was included in the now-discontinued Conti ransomware cartel earlier this year.

But just weeks later, the group’s actors resurfaced with a revamped version of the AnchorDNS backdoor called AnchorMail which uses SMTPS and IMAP protocols for command-and-control communication.

“ITM23’s campaigns against Ukraine are notable for the degree to which this activity differs from historical precedent and the fact that these campaigns targeted Ukraine specifically with some payloads suggesting a higher degree of target selection,” IBM Security X-Force Analyst Ole Villadsen said in a technical report.

A noticeable shift in the campaigns is the use of never-before-seen Microsoft Excel downloaders and the deployment of CobaltStrike, Meterpreter and AnchorMail as first-stage payloads. The attacks are said to have started in mid-April 2022.

Interestingly, the threat actor exploited the specter of nuclear war in its email ploy to distribute the AnchorMail implant, a tactic that would be repeated two months later by the Russian state-owned group followed as APT28 to target data-stealing malware. spreading Ukraine.

In addition, the Cobalt Strike example deployed as part of a May 2022 campaign used a new crypter called Forest to evade detection, the latter of which has also been used in conjunction with the Bumblebee malware, lending credence to theories that the loader is operated by the TrickBot gang.

“Ideological divisions and allegiances have become increasingly evident within the Russian-speaking cybercriminal ecosystem this year,” Villadsen noted. “These campaigns provide evidence that Ukraine is in the crosshairs of prominent Russian cybercriminal groups.”

The development comes as the Ukrainian media has been focused of phishing messages with malware-laced documents exploiting the Follina vulnerability to drop the DarkCrystal RAT on compromised systems.

The Computer Emergency Response Team of Ukraine (CERT-UA) also has: warned of burglaries carried out by a group called UAC-0056, attacking state organizations with personnel-themed lures to drop Cobalt Strike Beacons on the hosts.

The bureau, last month, onward be aware the use of Royal Road RTF weapons by a China-based actor codenamed the Tonto team (aka Karma Panda) to target scientific and technical enterprises and government agencies in Russia with the Bizonal malware

Attributing these medium confidence attacks to the Advanced Persistent Threat (APT) group, SentinelOne said the findings to show “an ongoing effort” on the part of the Chinese intelligence apparatus to target a wide range of Russia-affiliated organizations.