The TrickBot malware operation has shut down after its core developers move to the Conti ransomware gang to focus development on the stealthy BazarBackdoor and Anchor malware families.
TrickBot is a notorious Windows malware infection that has dominated the threat landscape since 2016.
The malware is commonly installed via malicious phishing emails or other malware, and will quietly run on a victim's computer while it downloads modules to perform different tasks.
These modules perform a wide range of malicious activities, including
stealing a domain's Active Directory Services database,
spreading laterally on a network,
screen locking,
stealing cookies and browser passwords, and
stealing OpenSSH keys.
TrickBot also has a long relationship with ransomware operations who partnered with the TrickBot group to receive initial access to networks infected by the malware.
In 2019, the TrickBot Group
partnered with the Ryuk ransomware operation to provide the ransomware gang initial access to networks. In 2020, the Conti ransomware group, believed to be a rebrand of Ryuk, also
partnered with TrickBot for initial access.
In 2021, TrickBot attempted to launch their own
ransomware operation called Diavol, which has never really picked up steam, possibly because
one of its developers was arrested.
Despite numerous
takedown attempts by law enforcement, TrickBot had successfully rebuilt its botnet and continued to terrorize Windows networks.
That is until December 2021, when TrickBot distribution campaigns suddenly ceased.