The operators of the TrickBot trojan were recently discovered collaborating with the Shathak threat group to distribute their malware. This partnership is ultimately leading to the deployment of the Conti ransomware on infected hosts, as Conti is one of the go-to variants of ransomware that the TrickBot operators have been known to utilize.
Shathak is an email-based malware distributor that utilizes phishing emails with password-protected ZIP files containing macro-enabled Office documents as their main method of infecting a victim. In the past, Shathak has been known to distribute various types of banking trojans, such as Ursniff, Valak, and IcedID.
The TrickBot operator, also known as Wizard Spider, is a well-known Russia-based threat actor group that has been responsible for causing damage to numerous organizations across many different sectors. They have also been known to develop and utilize highly sophisticated malware against their victims, such as the TrickBot trojan and the Ryuk and Conti strains of ransomware.
The partnership between Wizard Spider and Shathak was discovered to have started sometime around July of 2021.