TA551 Joins with Trickbot - TheCyberThrone

The TrickBot gang is working together with the TA551 threat group,operating via remote malware distribution sites based in European countries such as Slovakia, the Netherlands, and Germany.

The potential victim receives a password protected archive in phishing emails. This archive comes with malicious documents whose macros download and execute TrickBot and BazarBackdoor from the remote distribution site. These malware carry out other malicious activities, such as reconnaissance, credential theft,data exfiltration. Reconnaissance and exfiltration have a duration of two days.

Advertisements

The operators of the campaign use the abandoned BazarBackdoor for enumerating users, domain administrators, shared resources, and shared computers, as well as for network reconnaissance. They deploy the Cobalt Strike beacon on the compromised system and add scheduled tasks for persistence.

Hackers steal user credentials, Active Directory data, password hashes, and abuse anything exploitable to spread across the network. They fiddle with registry values to enable RDP connectivity and tamper with Windows Firewall rules using ‘netsh’ command.

The real time monitoring feature of Windows Defender is disabled as well to stop any alert during the encryption process. In the final stage before file encryption, Conti uses the Rclone tool to exfiltrate data and send it to a remote endpoint. Two days after the initial infection, Conti is deployed.

The recent collaborations between Trickbot and TA551 show how threat groups help each other grow. It further increases the risks of destructive attacks and therefore organizations should be prepared with adequate security steps, including regular backup of important data at a secure remote location.