TrickBot Hack Group Systematically Attacks Ukraine

TrickBot attacks Ukraine

IBM Security X-Force experts noticed that from the very beginning of the full-scale Russian invasion, the TrickBot hack group “systematically attacks” Ukraine, which has not been observed before.

It is believed that from mid-April to June 2022, hackers have already organized at least six such phishing campaigns.

Let me remind you that the TrickBot hack group (aka ITG23, Gold Blackburn and Wizard Spider) is considered a financially motivated group, which is known mainly due to the development of the TrickBot banking Trojan of the same name. Over the years, TrickBot has evolved from a classic banker designed to steal funds from bank accounts to a multifunctional dropper that spreads other threats (from miners and ransomware to infostealers).

Let me also remind you that we wrote that TrickBot causes crashes on the machines when cybersecurity experts studying it.

The report notes that, according to researchers, the group recently came under the control of Conti, and Conti operators expressed full agreement with the policy of the Russian authorities at the beginning of Russia’s aggression against Ukraine.

According to IBM Security X-Force, TrickBot has recently turned its attention to Ukraine, and tools such as IcedID, CobaltStrike, AnchorMail and Meterpreter have been used in targeted attacks. It is emphasized that earlier Ukraine was not of interest to hackers, and most of the group’s malware is now configured in such a way that it does not run on systems where the Ukrainian language is not detected.

The company report states that the group often used the threat of a nuclear conflict as bait, distributing the malicious Nuclear.xls file, through which the new AnchorMail malware was already spreading.

The researchers also note the use by hackers of the new Forest cryptor, which is used to avoid detection and protect the CobaltStrike and IcedID payloads. It is assumed that its developer, distributor or operator may be part of the group itself, or have a partnership with TrickBot.

Systematic attacks against Ukraine have included phishing attacks against Ukrainian public authorities, Ukrainian citizens and organizations, and the general population. Successful attacks that lead to data theft or ransomware infection will provide ITG23 with additional opportunities for extortion, and especially dangerous incidents can damage the Ukrainian economy.the experts warned.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *