The celebrity of malware distribution, a well-known star among trojan viruses TrickBot, claimed about the shutdown. The group will continue working as a part of Conti ransomware group – but will concentrate on the other project. That group used TrickBot downloader for a long time, but after it lost its efficiency, they turned their attention to another project – BazarLoader.
About TrickBot trojan
Appeared almost 6 years ago, TrickBot was initially created as a banking trojan. Once designed to steal the credentials of banking accounts, it was then modified to suit malware downloading purposes. The wide popularity it won amongst malware distributors is a result of the painstaking job its developers did to make their brainchild better. With time they added more and more elements that allowed this malware to be as effective as possible.
TrickBot was actively used by botnet creators – they were integrating this malware into the network of the chosen company and then offering the ransomware distributors access to that network. The aforementioned Conti group was one of the regular customers of such networks. In fact, most of the analysts already associated TrickBot with Conti group. Seems that after the fall of the REvil group – one of the main rivals of this group – they decided to become a monopolist.
Why is TrickBot not accepted anymore?
Malware analysts always try to find a way to detect the whole malware group, or even the class, by a single method. They try to find the similarities that can allow the anti-malware program to detect the designated virus. TrickBot was their beloved target because of its widespreadness. Sure, the developers of this trojan did their best in modifying the final product. But analysts got enough samples to catch the signs that are static for each variant. That led to the creation of the unified detection rule that allows all antimalware engines to detect this virus.
The successor of the TrickBot – BazarLoader – inherited part of the code of the old downloader. Just like its predecessor, BazarLoader initially belonged to the other malware type – backdoor. And it is much easier to turn the backdoor into a downloader. And when created specifically for Conti ransomware, it will likely show much higher efficiency. Corporations must not wait for cybercriminal groups to cease to exist, they must make their networks protected in all possible ways.
Conti group acquires 2 malware developers
TrickBot developers are not the first group that decided to collaborate with a well-known ransomware group. Emotet developers – a malware group that was inactive for almost a year after being captured by Ukrainian Cyber Police, also agreed to join the Conti team. Emotet trojan also acts as a loader, so the group may try to inject another malware if one fails. Such maneuvers from the Conti group are likely related to the attempt to get maximum market share and prevent the LockBit group from doing it. The last ones were on the top of all charts after the REvil shutdown in October 2021.
In general, it was pretty obvious to see that malware groups are merging after several loud arrests. Malware developers from the busted groups decided to keep going, but as a part of gangs that are still running. Possibly, that is just an environmental thing: anti-malware vendors are uniting, too, and so did the malware groups. But there are much less arguments on that point than on merging for market share.