Experts at threat intelligence and ransomware disruption company AdvIntel believe the notorious TrickBot malware has reached its limits, but its development team appears to have been “acquired” by the Conti ransomware gang, which has been thriving amid recent crackdowns.
TrickBot has been around since 2016. It was initially a banking trojan designed to steal financial data, but it evolved into a modular stealer that could target a wide range of information.
TrickBot has survived a takedown attempt and the arrests of some developers. It also helped the Emotet malware get back in the game following a law enforcement action that disrupted its global operation in January 2021.
TrickBot developers have also collaborated with the creators of the Ryuk and Conti ransomware.
The Conti ransomware emerged in 2020 and cybercriminals have used it in attacks against many organizations worldwide. In these attacks, Conti operators not only encrypt files on compromised systems, but also steal data that they can threaten to leak if the victim refuses to pay a ransom. The cybercriminals are believed to have made hundreds of millions of dollars.
More than a dozen victims are listed on Conti’s Tor-based leak website at the time of writing, including British snacks company KP Snacks. The hackers have leaked hundreds of megabytes of data allegedly stolen from the firm.
The Conti group appears to have prospered and AdvIntel says they have reached “crime syndicate” status during a time when law enforcement organizations worldwide — including in Russia — have increasingly cracked down on cybercrime.
“Its relationship with TrickBot was one of the primary reasons for the rapid rise of Conti, possibly even for its survival,” AdvIntel said. “The Emotet-TrickBot-Ryuk supply chain was extremely resilient. And with a stable and high-quality supply of accesses coming from a single organized source, Conti was able to maintain its image without any major structural changes. When the rest of the ransomware gangs were massively hiring random affiliates and delegating them to breach corporate networks, Conti was working in a trust-based, team-based manner.”
“And when said random affiliates began to randomly hack Western infrastructure and randomly blackmail Western leaders, calling the wrath of the Russian security apparatus on their heads, Conti merely kept a clear code of conduct and continued operations as normal,” it added.
According to the company, Conti at one point became “the sole end-user of TrickBot’s botnet product,” which ultimately led to TrickBot being essentially acquired by the Conti group by the end of 2021.
TrickBot is still operational, but the vast amount of indicators of compromise (IoCs) associated with the malware have made it easy to detect and it’s no longer used by Conti, AdvIntel said. While the TrickBot malware has reached its limits, its “elite developers and managers” are very useful to the Conti operation.
The TrickBot group has been working on BazarBackdoor, a stealthier malware that is currently used in attacks aimed at high-value targets.
“[The] people who have led TrickBot throughout its long run will not simply disappear,” AdvIntel said. “After being ‘acquired’ by Conti, they are now rich in prospects with the secure ground beneath them, and Conti will always find a way to make use of the available talent.”
Related: Researchers Hack Conti Ransomware Infrastructure
Related: U.S. Issues Conti Alert as Second Farming Cooperative Hit by Ransomware
Related: Financially Motivated Hackers Use Leaked Conti Ransomware Techniques in Attacks