For the past four years, the name TrickBot has been featured in numerous conversations and articles, including this publication. We have covered how the malware has survived several takedowns only to return improved and ready to pave the way for ransomware gangs to encrypt high-value targets networks. We have also covered how the Conti ransomware gang partnered with TrickBot developers to improve the ransomware’s distribution and successfully targeting victims with TrickBot achieving initial compromise only for Conti to be dropped on the network to perform the knock out punch.
According to new research published by AdvIntel suggests that TrickBot’s top members have moved under new management, the Conti ransomware syndicate, who plan to replace it with the stealthier BazarBackdoor malware.
There are several reasons why TrickBot’s talented developers have been drawn into the Conti family, a brief look at TrickBot’s history presents a great CV to future employees. TrickBot was built to be modular in design which meant it could be quickly modified to improve existing features or add new ones without a lengthy development cycle.
As an example of this, in July 2020, TrickBot developers test piloted a mysterious module known as grabber.dll. The module version was meant for browser theft and affected Google Chrome, Internet Explorer, Mozilla Firefox, and Microsoft Edge as well as browser cookies.
At the peak of TrickBot’s capabilities, the malware was capable of maintaining persistence on victims’ machines by corrupting UEFI/BIOS settings. AdvIntel states,
“In October 2021, TrickBot even developed a function designed to inspect the UEFI/BIOS firmware of its targets, in order to survive any system re-imagining efforts during the recovery phase of a Ryuk (Conti) ransomware event, further allowing adversaries to semi-permanently brick an affected device. The installation framework of TrickBot’s notorious AchorDNS malware has also been used by some of the most notorious (specifically Russian and North Korean) threat actors to target healthcare, finance, telecoms, education, and critical infrastructure. “
This surely attracted the attention of ransomware developers as over the course of TrickBot’s history several ransomware gangs partnered with the malware’s operators, including Conti and Ryuk. In fact, AdvIntel notes,
“However, the most salient and worrisome prediction for TrickBot was its role as the most dangerous tool in ransomware’s future arsenal. The group’s elite division, called Overdose, managed the TrickBot campaigns that resulted in the creation of Conti and Ryuk ransomware. The group has made at least $200 million USD with one extreme case extorting ~$34 million USD from a single victim and has perpetrated a spate of attacks on numerous healthcare organizations, including Universal Health Services (UHS) via BazarBackdoor to Ryuk ransomware (the attack was estimated for an account for $67 Million USD in damages).”
Changing Ransomware Landscape
Since major law enforcement clampdowns that occurred throughout 2021 caused many ransomware-as-a-service (RaaS) gangs to retire. This opened the door for ransomware gangs that operated in tighter groups to take center stage, groups like Conti and EvilCorp rose to prominence due to their makeup and skills.
By relying on smaller groups of hackers that are trust and team-based and not affiliates catching members of these groups is proving to be difficult. Some contend that now Conti and EvilCorp are structured more along the lines of a criminal syndicate rather than ransomware operations.
Conti operators seeing how resilient the Emotet-TrickBot-Ryuk supply chain was surely wanted a piece of the pie. This resulted in the two groups partnering.
However, as many of TrickBot’s potential customer base was disappearing due to the crackdown on RaaS and Conti's rise it seemed like a logical decision for TrickBot operators to allow the malware to become more of a subsidiary to Conti, rather than the previous status of partners.
This change in the relationship can be seen in Conti’s use of the botnet towards the end of 2021. By this time Conti was the sole end-user of TrickBot’s botnet.
While TrickBot is still active it would seem that activity related to the malware has peaked. To further illustrate this point, AdvIntel notes that it has become increasingly easier for security vendors to detect and mitigate TrickBot infections based on indicators of compromise. This means that Conti is unlikely to use to TrickBot for further infections.
Rather, the use of BazaarBackdoor has increased. BazaarBackdoor is TrickBot group’s newer, stealthier replacement malware that is now being leveraged at high-value targets. BazarBackdoor was formerly a part of Trickbot’s toolkit arsenal but has now become its own fully autonomous tool.
AdvIntel researchers concluded that,
“In name, at least, this means that TrickBot’s four-year saga is now coming to a close—the liaison that has defined the cybercrime domain for years has been reborn into a newer, possibly even deadlier form…However, the people who have led TrickBot throughout its long run will not simply disappear. After being “acquired” by Conti, they are now rich in prospects with the secure ground beneath them, and Conti will always find a way to make use of the available talent.”
It is hard to disagree with this sentiment as the upgrade in skills and experience Conti has received by bringing in skillful hackers makes the threat posed by the group more worrying than before.