The operators of TrickBot malware have resurfaced with new tricks that aim to increase its foothold by expanding its distribution channels, ultimately leading to the deployment of ransomware such as Conti.

The threat actor, tracked under the monikers ITG23 and Wizard Spider, has been found to partner with other cybercrime gangs known Hive0105, Hive0106, and Hive0107, adding to a growing number of campaigns that the attackers are banking on to deliver proprietary malware.

TrickBot has evolved from a banking trojan to a modular Windows-based crimeware solution, while also standing out for its resilience, demonstrating the ability to maintain and update its toolset and infrastructure despite multiple efforts by law enforcement and industry groups to take it down.

Besides TrickBot, the Wizard Spider group has been credited with the development of Bazar Loader and a backdoor called Anchor that relied on email campaigns delivering Excel documents and a call center ruse dubbed “BazaCall” to deliver malware to corporate users, which will eventually end up in deploying Cobalt Strike Beacon enabling a widespread diversified campaign

ITG23 has also adapted to the ransomware economy through the creation of the Conti RaaS and the use of its BazarLoader and Trickbot payloads to gain a foothold for ransomware attacks.

This latest development demonstrates the strength of its connections within the cybercriminal ecosystem and its ability to leverage these relationships to expand the number of organizations infected with its malware.