IBM Security X-Force experts noticed that from the very beginning of the full-scale Russian invasion, the TrickBot hack group “systematically attacks” Ukraine, which has not been observed before.
It is believed that from mid-April to June 2022, hackers have already organized at least six such phishing campaigns.
Let me remind you that the TrickBot hack group (aka ITG23, Gold Blackburn and Wizard Spider) is considered a financially motivated group, which is known mainly due to the development of the TrickBot banking Trojan of the same name. Over the years, TrickBot has evolved from a classic banker designed to steal funds from bank accounts to a multifunctional dropper that spreads other threats (from miners and ransomware to infostealers).
Let me also remind you that we wrote that TrickBot causes crashes on the machines when cybersecurity experts studying it.
The report notes that, according to researchers, the group recently came under the control of Conti, and Conti operators expressed full agreement with the policy of the Russian authorities at the beginning of Russia’s aggression against Ukraine.
According to IBM Security X-Force, TrickBot has recently turned its attention to Ukraine, and tools such as IcedID, CobaltStrike, AnchorMail and Meterpreter have been used in targeted attacks. It is emphasized that earlier Ukraine was not of interest to hackers, and most of the group’s malware is now configured in such a way that it does not run on systems where the Ukrainian language is not detected.
The company report states that the group often used the threat of a nuclear conflict as bait, distributing the malicious Nuclear.xls file, through which the new AnchorMail malware was already spreading.
The researchers also note the use by hackers of the new Forest cryptor, which is used to avoid detection and protect the CobaltStrike and IcedID payloads. It is assumed that its developer, distributor or operator may be part of the group itself, or have a partnership with TrickBot.