Last Updated on 24/02/2022 by Nidhi Khandelwal
TrickBot, the famed Windows crimeware-as-a-service (CaaS) solution used by a variety of threat actors to distribute next-stage payloads like ransomware, looks to be in the midst of a shift, with no new activity since the beginning of the year.
Even as the malware’s command-and-control (C2) infrastructure continued to provide more plugins and web injects to infected nodes in the botnet, the last round of TrickBot attacks was recorded on December 28, 2021.
Surprisingly, the drop in campaign volume has coincided with the TrickBot gang collaborating closely with the operators of Emotet, which resurfaced late last year after a 10-month hiatus due to law enforcement efforts to combat the malware.
The attacks, which began in November 2021, comprised an infection sequence that employed TrickBot to download and execute Emotet binaries, despite the fact that Emotet was frequently used to drop TrickBot samples previous to the shutdown.
Additionally, immediately after Emotet’s comeback in November 2021, Intel 471 discovered instances of TrickBot sending Qbot installs to the infected systems, highlighting the prospect of a behind-the-scenes shake-up to relocate to other platforms.
With TrickBot becoming more visible to law enforcement in 2021, it’s not unexpected that the threat actor behind it is actively working to change tactics and improve their protective mechanisms.
According to a separate report published last week by Advanced Intelligence (AdvIntel), the Conti ransomware gang is thought to have acqui-hired several elite TrickBot developers to retire the malware in favor of upgraded tools like BazarBackdoor.