Trickbot

TrickBot is a Russia-based cybercrime gang and malware operation active since at least 2016. It is also referred to as Wizard Spider in the provided content. The group has been linked to a broader criminal network behind TrickBot, Conti, and Ryuk, and reporting in the content also associates it with Diavol and Karakurt. Authorities in the United States and the United Kingdom sanctioned seven individuals allegedly behind TrickBot, and U.S. and U.K. assessments cited in the content state that current or key TrickBot members maintain links to Russian intelligence services. The content also notes targeting that aligned with Russian state objectives, including systematic attacks on Ukraine and targeting of the International Olympic Committee. Operationally, TrickBot is described as a modular banking trojan that evolved into a malware delivery platform and botnet used to spread ransomware. It has infected millions of computers and has been used to deploy Ryuk and Conti ransomware; the content also states it partnered with ransomware groups to deploy Ryuk, Conti, Diavol, and Karakurt. TrickBot targeted hospitals and healthcare centers in the United States during the COVID-19 pandemic. The group has also worked with TA551 in phishing campaigns that deployed Conti ransomware, and BazarLoader and TrickBot infections are described as believed to be created by the same TrickBot hacking group. The malware family associated with TrickBot performs reconnaissance including system network configuration discovery and domain trust discovery using commands such as ipconfig /all, net config workstation, net view /all /domain, and nltest /domain_trusts. TrickBot also developed and used the TrickMo Android malware to bypass banking two-factor authentication by intercepting OTP, mTAN, and pushTAN codes, abusing Android accessibility services, forwarding and deleting SMS messages, resisting uninstallation, and persisting after reboot. The content further links TrickBot to other parts of the cybercrime ecosystem. WithSecure found connections between GREYVIBE tooling and the TrickBot gang, including suspected ties through an ISO builder also linked to UAC-0098. Treasury reporting cited in the content says Blender.io was used by ransomware gangs including TrickBot, and Treasury sanctions related to Operation Zero highlighted connections between the TrickBot cybercrime gang and that Russian exploit broker. Microsoft obtained an emergency court order in 2020 to disable TrickBot command-and-control IP addresses as part of a disruption effort against the botnet.