Since the outbreak of hostilities in late February 2022, the operators of the TrickBot malware have resorted to targeting Ukraine in a methodical manner, a development that is being hailed as a "unprecedented" turn of events by commentators.
It is believed that the group was responsible for at least six separate phishing campaigns that were directed at targets that were in line with the interests of the Russian state. The emails that were sent out served as lures for the delivery of malicious software such as IcedID, CobaltStrike, AnchorMail, and Meterpreter.
ITG23, also known as Gold Blackburn and Wizard Spider, is a financially motivated cybercrime gang that is known for its development of the TrickBot banking trojan. Earlier this year, the gang was absorbed into the Conti ransomware cartel, which has since been discontinued.
However, only a few weeks later, the actors associated with the group reappeared with a redesigned version of the AnchorDNS backdoor known as AnchorMail. This backdoor makes use of the SMTPS and IMAP protocols for command-and-control communications.
IBM Security X-Force analyst Ole Villadsen stated in a technical report that "ITG23's campaigns against Ukraine are notable due to the extent to which this activity differs from historical precedent." Additionally, these campaigns appeared to be specifically aimed at Ukraine with some payloads that suggest a higher degree of target selection.
The use of never-before-seen Microsoft Excel downloaders and the deployment of CobaltStrike, Meterpreter, and AnchorMail as first-stage payloads is a noticeable shift in the campaigns. This shift is one of the noticeable shifts in the campaigns. It is believed that the attacks started sometime in the middle of April 2022.
It is interesting to note that the threat actor used the possibility of nuclear war in its email hoax to spread the AnchorMail implant. This strategy would later be used by the Russian nation-state group tracked as APT28 to spread data-stealing malware in Ukraine two months later.
In addition, the Cobalt Strike sample that was deployed as part of a campaign in May 2022 used a new crypter that was given the name Forest in order to avoid detection. This crypter has also been used in conjunction with the Bumblebee malware, which lends credence to theories that the loader is being operated by the TrickBot gang.
"Ideological divisions and allegiances have become increasingly apparent within the Russian-speaking cybercriminal ecosystem this year," noted Villadsen. "This year has been particularly eventful for the Russian-speaking cybercriminal community." These campaigns provide evidence that prominent Russian cybercriminal groups have their sights set on the Ukraine.
This new development comes at the same time that Ukrainian media outlets have been the target of phishing messages that contain malware-laced documents that exploit a vulnerability in Follina and drop the DarkCrystal RAT on systems that have been compromised.
The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning regarding intrusions carried out by a group known as UAC-0056. These intrusions target state organizations using staffing-themed lures in order to drop Cobalt Strike Beacons on the hosts.
The agency further pointed out the use of Royal Road RTF weaponizer by a China-based actor with the codename Tonto Team (aka Karma Panda) to target scientific and technical enterprises as well as state bodies located in Russia with the Bisonal malware. This information was provided one month ago.
SentinelOne stated that the findings demonstrate "a continued effort" on the part of the Chinese intelligence apparatus to target a wide variety of Russian-linked organizations. This attribution was made with a medium level of confidence with regard to the advanced persistent threat (APT) group, which was responsible for the attacks.
Post a Comment
Your suggestions and comments are welcome