The Trickbot group is making its presence felt again and expands its malware distribution channels for spreading Trickbot and BazarLoader. Other ransomware attacks have also increased, particularly Conti ransomware.
Since June, researchers have noticed an uptick in Trickbot/BazarLoader deliveries. The article puts it:
- “Recently the Trickbot group has joined hands with several malware distribution partners, including Hive0105, Hive0106, and Hive0107.
- Hive0107 and Hive0106 infect organizational networks by hijacking email threads, using fake customer response forms, and social engineering employees using a fake call center, known as BazarCall, or Hive0105.
- Meanwhile, in the second half of 2021, the surge in Conti ransomware attacks was attributed majorly to the rise in BazarLoader activity.”
More about groups
- The Hive0106 group started spreading this malware with ‘zev’ gtag in June; they turned to BazarLoader in the second half of July. It increased attacks using this malware with the ‘zem’ and ‘zvs’ gtags in September and October, respectively.
- Hive0107 started spreading the malware between mid-May and mid-July and used the ‘mod’ gtag.
- Hive0105 or Bazarcall, one of the most infamous distributors of BazarLoader, also sometimes spreads Trickbot. It was often used for data pilfering and ransomware deployments such as Conti.