The operators of the TrickBot malware have resorted to systematically targeting Ukraine since the onset of the war.
The group is believed to have orchestrated at minimum 6 phishing strategies aimed at targets that align with Russian point out pursuits, with the email messages performing as lures for providing malicious software package these types of as IcedID, CobaltStrike, AnchorMail, and Meterpreter.
Tracked under the names ITG23, Gold Blackburn, and Wizard Spider, the financially inspired cybercrime gang is acknowledged for its development of the TrickBot banking trojan and was subsumed into the now-discontinued Conti ransomware cartel earlier this yr.
“ITG23’s strategies versus Ukraine are notable due to the extent to which this activity differs from historical precedent and the fact that these campaigns appeared precisely aimed at Ukraine with some payloads that advise a better degree of concentrate on variety,” IBM Security X-Drive analyst Ole Villadsen explained in a specialized report.
Interestingly, the risk actor leveraged the specter of nuclear war in its email ruse to spread the AnchorMail implant. A tactic that would be repeated by the Russian country-state group tracked as APT28 two months later to distribute information-thieving malware in Ukraine.
Recommendations for TrickBot
- Ensure anti-virus and associated files are up to date
- Check for Existing signs of the indicated IOCs in the environment
- Keep applications and OS running at the current released patch level.