The TrickBot ransomware gang, which developed the Conti ransomware and BazarLoader, has strengthened its distribution arsenal with the inclusion of new affiliates Hive0106, or TA551, and Hive0107, Threatpost reports.
"Earlier this year, [the TrickBot gang] primarily relied on email campaigns delivering Excel documents and a call-center ruse known as BazarCall to deliver its payloads to corporate users. However…the new affiliates have added the use of hijacked email threads and fraudulent website customer-inquiry forms. This move not only increased the volume of its delivery attempts but also diversified delivery methods with the goal of infecting more potential victims than ever," said IBM X-Force researchers.
Conti ransomware attacks have risen since the addition of the new affiliates. Researchers discovered that Hive0106 has spread TrickBot malware through email thread hijacking, which is also used by the Emotet ransomware gang, since June, according to the report.
Meanwhile, Hive0107 began distributing TrickBot aimed at organizations in the US, Canada and Europe in May after spreading the IcedID trojan in the first six months of the year.
New affiliates strengthen TrickBot’s distribution tactics
The TrickBot ransomware gang, which developed the Conti ransomware and BazarLoader, has strengthened its distribution arsenal with the inclusion of new affiliates Hive0106, or TA551, and Hive0107
Attackers behind the scheme placed an ad on the LEGO website homepage that urged visitors to click a link that would "unlock secret rewards," which redirects to a third-party marketplace enabling purchases of the fraudulent LEGO token with Ethereum.
Threat actors who infiltrated the online store of 5.11 Tactical were able to exfiltrate information from individuals who shopped from July 12 to August 22, including their names and email addresses, as well as their payment card numbers, expiration dates, and security codes.