Three of the six campaigns use a malicious Excel downloader that has not been observed in other campaigns, while two campaigns use ISO image files to distribute the payloads these ISO files probably are created by a boutique ISO builder that has supplied previous campaigns delivering ITG23 payloads.įurthermore, five of the six campaigns directly download CobaltStrike, Meterpreter, or AnchorMail onto the target machine. In 2021, X-Force analysts tracked several campaigns that were probably carried out directly by ITG23 personnel,” the research added. “None of these campaigns are consistent with the techniques that known ITG23 third-party distribution affiliates are using to deliver the payloads to their targets. X-Force assesses that the Trickbot group is controlling the delivery of the emails and malware and that independent distribution affiliates do not execute them. Successful attacks that resulted in data theft or ransomware would provide ITG23 with additional extortion opportunities, and particularly damaging attacks could harm Ukraine’s economy,” it added. “The systematic attacks observed against Ukraine include reported and suspected phishing attacks against Ukrainian state authorities, Ukrainian individuals and organizations, and the general population. “ITG23 is a financially motivated cybercriminal gang known primarily for developing the Trickbot banking Trojan, which was first identified in 2016 since that time the group has used its payloads to gain a foothold in victim environments for ransomware attacks, including Ryuk, Conti, and Diavol,” IBM said. The Trickbot group campaigns against Ukraine are notable due to the extent to which this activity differs from historical precedent and the fact that these campaigns appeared specifically aimed at Ukraine with some payloads that suggest a higher degree of target selection. Four of these campaigns have been disclosed by CERT-UA, which tracks them under the group name UAC-0098, while this analysis introduces two newly uncovered campaigns by X-Force, it added. The research said that X-Force analysts had investigated at least six ITG23 campaigns specifically targeting Ukraine between mid-April and mid-June. “Prior to the Russian invasion, ITG23 had not been known to target Ukraine, and much of the group’s malware was even configured to not execute on systems if the Ukrainian language was detected,” they added. “Between mid-April and mid-June of 2022 the Trickbot group, tracked by X-Force as ITG23 and also known as Wizard Spider, DEV-0193, and the Conti group, has conducted at least six campaigns - two of which have been discovered by X-Force - against Ukraine, during which they deployed IcedID, CobaltStrike, AnchorMail, and Meterpreter,” the researchers wrote in a blog post on Thursday. The attacks marked an unprecedented shift as the group had not previously targeted Ukraine and came following ongoing research by the team. IBM Security X-Force has uncovered evidence indicating that the Russia-based cybercriminal syndicate ‘Trickbot group’ has been systematically attacking Ukraine since the Russian invasion.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |