TrickBot Gang Shifted its Focus on “Systematically” Targeting Ukraine

Cyber Security

In what’s being described as an “unprecedented” twist, the operators of the TrickBot malware have resorted to systematically targeting Ukraine since the onset of the war in late February 2022.

The group is believed to have orchestrated at least six phishing campaigns aimed at targets that align with Russian state interests, with the emails acting as lures for delivering malicious software such as IcedID, CobaltStrike, AnchorMail, and Meterpreter.

Tracked under the names ITG23, Gold Blackburn, and Wizard Spider, the financially motivated cybercrime gang is known for its development of the TrickBot banking trojan and was subsumed into the now-discontinued Conti ransomware cartel earlier this year.

But merely weeks later, the actors associated with the group resurfaced with a revamped version of the AnchorDNS backdoor called AnchorMail that uses SMTPS and IMAP protocols for command-and-control communications.

“ITG23’s campaigns against Ukraine are notable due to the extent to which this activity differs from historical precedent and the fact that these campaigns appeared specifically aimed at Ukraine with some payloads that suggest a higher degree of target selection,” IBM Security X-Force analyst Ole Villadsen said in a technical report.

A noticeable shift in the campaigns involves the use of never-before-seen Microsoft Excel downloaders and the deployment of CobaltStrike, Meterpreter, and AnchorMail as first-stage payloads. The attacks are said to have commenced in mid-April 2022.

Interestingly, the threat actor leveraged the specter of nuclear war in its email ruse to spread the AnchorMail implant, a tactic that would be repeated by the Russian nation-state group tracked as APT28 two months later to spread data-stealing malware in Ukraine.

What’s more, the Cobalt Strike sample deployed as part of a May 2022 campaign utilized a new crypter dubbed Forest to evade detection, the latter of which has also been used in conjunction with the Bumblebee malware, lending credence to theories that the loader is being operated by the TrickBot gang.

Ideological divisions and allegiances have increasingly become apparent within the Russian-speaking cybercriminal ecosystem this year,” Villadsen noted. “These campaigns provide evidence that Ukraine is in the crosshairs of prominent Russian cybercriminal groups.”

The development comes as Ukrainian media outlets have been targeted with phishing messages containing malware-laced documents that exploit the Follina vulnerability to drop the DarkCrystal RAT on compromised systems.

The Computer Emergency Response Team of Ukraine (CERT-UA) has also warned of intrusions conducted by a group called UAC-0056 that involves striking state organizations with staffing-themed lures to drop Cobalt Strike Beacons on the hosts.

The agency, last month, further pointed out the use of Royal Road RTF weaponizer by a China-based actor codenamed the Tonto Team (aka Karma Panda) to target scientific and technical enterprises and state bodies located in Russia with the Bisonal malware.

Attributing these attacks with medium confidence to the advanced persistent threat (APT) group, SentinelOne said the findings demonstrate “a continued effort” on the part of the Chinese intelligence apparatus to target a wide range of Russian-linked organizations.