Data leaks from the Conti group continue and shed light on the business of cybercriminal groups and the sometimes close ties they share with each other. Conti is an as-a-service ransomware group active since 2020, which quickly rose to the ranks of the most well-known groups by claiming in particular the hacking of the Irish health system.
To spread their ransomware, members of the Conti group have frequently resorted to another malware known as Trickbot. Trickbot is a modular Trojan-type malware, used by cybercriminals to infect and take control of computers, in order to later resell access to other cybercriminal groups. Active since 2016, the Trickbot botnet has been targeted by several takedown operations over the past two years. In recent months, the Conti Group had become the main user of the Trickbot botnet. This was used as the initial access provider: Conti ransomware operators exploited computers infected with Trickbot to infiltrate corporate networks and distribute their ransomware and/or steal sensitive data from their targets, in order to extort ransom.
A family resemblance
But the relationship between Trickbot and Conti goes far beyond a simple partnership between two cybercriminal groups. On Twitter, user Conti Leaks published since February 27 documents including conversations exchanged by members of the Conti group on their internal discussion tools. If at first, many observers thought that the account was held by a former member of the group, others now think that it would rather be the work of a security researcher who infiltrated the group.
A Twitter account dubbed Trickbotleaks briefly popped up this week, spreading new documents apparently from the group’s infrastructure, but for security researcher vx-underground, who follows the movements of the cybercriminal ecosystem very closely, it This is only information from Conti Leaks reformatted.
The leak nevertheless allows many researchers to look into the internal workings of the group and to confirm certain theories, in particular the idea put forward by security researchers that Conti would have taken over the developers and members of the Trickbot group within his team after that it has gradually lost popularity following multiple dismantling operations and arrests.
Game over
According to Brian Krebs, the exchanges confirm that Conti officials have decided to terminate the Trickbot botnet at the beginning of January 2022. cybersecurity companies specializing in threat intelligence that had reported that campaigns to infect computers using Trickbot had stopped since the start of the year.
As Brian Krebs reports, several exchanges within the Conti Leaks thus show that the members of the group knew the developer well, arrested in Miami in 2021 as part of the Trickbot investigation. Good enough in any case to consider providing him with financial support and paying him a lawyer for his defense.
In October 2021, several members of the Conti group learn that the American investigation into Trickbot is continuing and that the Russian authorities wish to question them about it. Questions that do not worry cybercriminals too much, but which nevertheless seem to sign the death warrant of the Trickbot botnet. According to AdvIntel, the decision was made because the Trickbot malware had become too easy to spot by antivirus solutions and security software.
black beanie and black beanie
According to security researchers from AdvIntel, the Conti group took over the main developers of the Trickbot group and chose to abandon work on this malware in favor of a new, more sophisticated and more discreet software, dubbed BazarBackdoor. . This malware, first identified in 2020, has long been suspected of being a new tool developed by the group behind Trickbot.
On paper, the Trickbot malware is therefore bowing out. But its operators and developers will remain active, within the cybercriminal organization Conti. A merger between cybercrime SMEs having the wind in its sails, but the total amount of the transaction has not been disclosed.