Select Page

TrickBot malware operation shuts down, devs move to BazarBackdoor

TrickBot malware

The TrickBot malware operation has shut down after its core developers move to the Conti ransomware gang to focus development on the stealthy BazarBackdoor and Anchor malware families.

TrickBot is a notorious Windows malware infection that has dominated the threat landscape since 2016.

The malware is commonly installed via malicious phishing emails or other malware, and will quietly run on a victim’s computer while it downloads modules to perform different tasks.

These modules perform a wide range of malicious activities, including stealing a domain’s Active Directory Services database, spreading laterally on a network, screen locking, stealing cookies and browser passwords, and stealing OpenSSH keys.

TrickBot also has a long relationship with ransomware operations who partnered with the TrickBot group to receive initial access to networks infected by the malware.

In 2019, the TrickBot Group partnered with the Ryuk ransomware operation to provide the ransomware gang initial access to networks. In 2020, the Conti ransomware group, believed to be a rebrand of Ryuk, also partnered with TrickBot for initial access.

In 2021, TrickBot attempted to launch their own ransomware operation called Diavol, which has never really picked up steam, possibly because one of its developers was arrested.

Despite numerous takedown attempts by law enforcement, TrickBot had successfully rebuilt its botnet and continued to terrorize Windows networks.

That is until December 2021, when TrickBot distribution campaigns suddenly ceased.

TrickBot operation shuts down

Over the last year, Conti has become one of the most resilient and lucrative ransomware operations, responsible for numerous attacks on high-profile victims and amassing hundreds of millions of dollars in ransom payments.

As reported by BleepingComputer last week, due to the enormous wealth and capital at their disposal and TrickBot primarily being used by Conti, the ransomware gang slowly took control of the operation.

However, Conti did not recruit these “elite developers and managers” to work on the TrickBot malware, but rather to work on the more stealthy BazarBackdoor and Anchor malware families as seen by internal conversations shared with BleepingComputer by cybersecurity firm AdvIntel.

AdvIntel explained last week that the shift in development is because the TrickBot malware is too easily detected by security software and that the operation would be shut down shortly.

Yesterday, AdvIntel CEO Vitali Kremez told BleepingComputer that the TrickBot Group shut down all of the infrastructure for the TrickBot malware operation.

TrickBot is gone…It is official now as of Thursday, February 24, 2022

See you soon … or not pic.twitter.com/zWCCpngUI7

— Vitali Kremez (@VK_Intel) February 24, 2022

In a conversation with Kremez, BleepingComputer was told that the Conti ransomware now controls the TrickBot Group’s malware development for their own needs.

With this shutdown, Kremez explained that TrickBot crime ring, who initially launched to pursue fraud, now focuses almost entirely on ransomware and breaching networks.

A report released yesterday by cyber intelligence firm Intel471 also confirmed that the operation was shutting down in favor of more profitable platforms.

While it is always good to see a malware operation shut down, the reality is that the ransomware gangs have already transitioned over to the more stealthy BazarBackdoor family.

BazarBackdoor has already seen increased distribution via email over the past six months, but with TrickBot’s shutdown, we will likely see it become more prevalent in network breaches of corporate entities.

Source: https://www.bleepingcomputer.com/news/security/trickbot-malware-operation-shuts-down-devs-move-to-bazarbackdoor/