The operators of the TrickBot trojan were recently discovered collaborating with the Shathak threat group to distribute their malware. This partnership is ultimately leading to the deployment of the Conti ransomware on infected hosts, as Conti is one of the go-to variants of ransomware that the TrickBot operators have been known to utilize.
Shathak is an email-based malware distributor that utilizes phishing emails with password-protected ZIP files containing macro-enabled Office documents as their main method of infecting a victim. In the past, Shathak has been known to distribute various types of banking trojans, such as Ursniff, Valak, and IcedID.
The TrickBot operator, also known as Wizard Spider, is a well-known Russia-based threat actor group that has been responsible for causing damage to numerous organizations across many different sectors. They have also been known to develop and utilize highly sophisticated malware against their victims, such as the TrickBot trojan and the Ryuk and Conti strains of ransomware.
The partnership between Wizard Spider and Shathak was discovered to have started sometime around July of 2021.
Like with all phishing campaigns, appropriate email analysis and hygiene need to be performed before the end user receives the email, particularly when the email contains attachments. Likewise, macro execution within the Microsoft Office suite of products should be disabled where possible in order to prevent malicious payloads from executing. Proper endpoint and network security controls need to be in place to help detect and prevent the common techniques that these actors utilize once they have established a foothold on an infected system. Binary Defense’s Managed Detection and Response service is a great asset to assist with this detection and prevention need.