"Trickbot Comes Up With a New Set of Tricks"

The group behind the Trickbot malware appears to be shifting away from the cybercriminal platform to the use of more modern attack tools. According to researchers at the threat intelligence firm Intel 471, the group behind the malware stopped spreading Trickbot and instead started distributing copies of Emotet and Qbot to infected systems late last year. The shift suggests that Trickbot's operators are changing strategies and working more closely with Emotet botnet operators. According to Greg Otto, a researcher at Intel 471, Trickbot employs nearly 400 people, making the group likely to continue operations, refine its malware, and resurface under a different name. Researchers at Check Point Software Technologies had also observed over 140,000 Trickbot-infected machines spreading Emotet malware to other systems in November 2021, which caused a surge in Emotet infections after a multinational takedown by law enforcement agencies in January 2021. The Trickbot operators likely have phased Trickbot malware out of their operations in favor of other platforms, such as Emotet, since Trickbot itself is relatively old malware that has not been significantly updated. Although Trickbot has apparently stopped its campaign to infect new systems, currently compromised computers are still communicating with each other and uploading code that can be injected into websites and other malware programs, such as Emotet and Qbot. The campaigns themselves have been quiet, but the command-and-control (C2) infrastructure tied to Trickbot remains operational, serving more plugins and web injects as well as additional configurations to bots in the botnet. The operators also used the Bazar backdoor malware to gain stealthy access to high-value targets.  This article continues to discuss changes made by the group behind Trickbot.  

Dark Reading reports "Trickbot Comes Up With a New Set of Tricks"