Threat Analysis Report: Tracing the Connection from Shatak Emails to Conti Ransomware

Hey there, fellow Bay Area tech and healthcare enthusiasts! Today, we’re going to chat about something critically important in our digitally-driven world: cybersecurity. More specifically, we’re going to discuss the latest developments in malware-related attacks and how we can better protect ourselves.

Has anyone heard of the ITG23 group? They’re also known as the TrickBot Gang or Wizard Spider. Well, these guys have teamed up with their dear friends, the renowned TA551 group (yeah, you might know them as Shatak). They’ve combined their dastardly talents to distribute ITG23’s TrickBot and BazarBackdoor malware, resulting in the deployment of ITG23’s Conti ransomware on compromised systems.

So, what’s the big deal? Well, here’s the scary part. They are using emails for their dirty business. If you ever receive an email with a password-protected attachment, be wary. The moment you open it, it downloads and executes the TrickBot or BazarBackdoor malware. Oh, and by the way, they don’t deploy ransomware instantaneously after the initial infection; they usually carry out activities like data reconnaissance and credential theft first.

Alright, let’s take a step back for a moment so I can give you some backstory. Back in July 2021, ITG23 and Shatak decided to combine forces to distribute TrickBot and BazarBackdoor malware. Since 2016, TrickBot has been involved in numerous attack campaigns led by everyone from common criminals to nation-state actors.

In March 2021, Conti ransomware entered the scene. ITG23 introduced Conti into its operations, using a model where ransomware operators get paid a wage or a percentage of the ransom payments for successful attacks.

The real danger of Conti comes from its choice of targets. It tends to go after places where shutting down an IT system can have life-threatening consequences, like hospitals. The US authorities reported in September 2021 that over 400 Conti ransomware attacks have compromised U.S. and international organizations. If ransom isn’t paid, the attackers threaten to leak or sell the stolen data.

Moving on, let’s look at a typical infection scenario. It’s quite simple, really. You receive a phishing email with a password-protected archive containing a malicious document. Once downloaded, the archive opens and enables macros, which trigger and execute the malware. Following this, the hackers carry out reconnaissance actions, steal credentials, and extricate data.

Once this sequence is completed (which usually takes around two days), the Conti ransomware is ready to reign terror on the compromised system.

Looking at this with a broad Bay Area perspective, it’s obvious that with our extensive tech and healthcare industries, we are potentially attractive targets. Therefore, it’s imperative we equip ourselves with the necessary knowledge and cultivate good cybersecurity habits.

How do we protect ourselves? First off, be vigilant with every received email, especially if they contain links or attachments. Always keep your cybersecurity software updated and active. Oh, and remember the importance of strong, unique passwords, and don’t forget to make regular data backups. Also, for those of you with RDP services running, make sure they’re secure and monitored regularly. Finally, utilize multi-factor authentication whenever possible.

Alright, friends. That wraps up our discussion for today. Let’s stay smart, stay secure, and do our part in ensuring our beautiful Bay Area continues to thrive.

Oh, and lastly, remember to treat your cybersecurity like how we treat our famous sourdough bread: always fresh, always checked, and never left out in the open. Stay savvy!

by Morgan Phisher | HEAL Security