Chris Swagler | February 21st, 2022

TrickBot’s death knell has sounded, after four years of activity and numerous takedown attempts, as its top member has moved under new management. The Conti ransomware syndicate is planning to replace it with the stealthier BazarBackdoor malware. Trickbot is a Windows malware platform with multiple modules for encrypting information, stealing passwords, infiltrating Windows domains, gaining initial access to networks, and delivering malware. Since 2016, Trickbot has dominated the malware threat landscape collaborating with ransomware groups and wreaking havoc on millions of devices worldwide. The Ryuk ransomware group initially collaborated with Trickbot to gain access to networks, however, was replaced by the Conti ransomware group which has been using the malware for the past year gaining access to corporate networks. Overdose, a division in charge of Trickbot campaigns, has made at least $200 million from its operations.

According to a cybercrime and adversarial disruption company, researchers noticed that Conti became the only beneficiary of TrickBot’s supply of high-quality network accesses. TrickBot’s core development team already created a stealthier piece of malware, BazarBackdoor, primarily used for remote access into valuable corporate networks where ransomware could be deployed. BazarBackdoor transitioned from being part of TrickBot’s toolkit to a standalone tool whose development is controlled by the Conti ransomware syndicate. The Conti group’s main admin stated that they had taken over TrickBot and are switching the group from TrickBot to BazarBackdoor as the primary way of gaining initial access now that the “bot is dead”.

Even though TrickBot malware detections will become less common, the cybercrime and adversarial disruption company’s recent findings show that the operation is not finished. In fact, they recently moved to a new control group that takes it to the next level with malware retooled for high-value targets.

With ransomware groups looking to advance and innovate their attack methods and techniques, including taking over a malware operation like TrickBot, it’s more crucial for companies to stay on top of the current threat landscape and keep their data network security systems updated. At SpearTip, we are trusted breach coaches and specialize in handling breaches with one of the fastest response times in the industry. Our certified engineers continuously work 24/7/365 at our Security Operations Center monitoring companies’ networks for potential ransomware threats like Conti. Being proactive is the best way for companies and organizations to remain ahead of the current threats. SpearTip’s ShadowSpear, our endpoint detection and response platform, is a great proactive tool that optimizes visibility and enhances the cyber posture of any organization. Additionally, ShadowSpear integrates with cloud, network and endpoint devices to help identify threats, neutralize malware, and counter adversaries.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.