- Apr 24, 2016
The TrickBot malware operation has shut down after its core developers move to the Conti ransomware gang to focus development on the stealthy BazarBackdoor and Anchor malware families.
TrickBot is a notorious Windows malware infection that has dominated the threat landscape since 2016.
The malware is commonly installed via malicious phishing emails or other malware, and will quietly run on a victim's computer while it downloads modules to perform different tasks.
These modules perform a wide range of malicious activities, including stealing a domain's Active Directory Services database, spreading laterally on a network, screen locking, stealing cookies and browser passwords, and stealing OpenSSH keys.
TrickBot also has a long relationship with ransomware operations who partnered with the TrickBot group to receive initial access to networks infected by the malware.
In 2019, the TrickBot Group partnered with the Ryuk ransomware operation to provide the ransomware gang initial access to networks. In 2020, the Conti ransomware group, believed to be a rebrand of Ryuk, also partnered with TrickBot for initial access.
In 2021, TrickBot attempted to launch their own ransomware operation called Diavol, which has never really picked up steam, possibly because one of its developers was arrested.
Despite numerous takedown attempts by law enforcement, TrickBot had successfully rebuilt its botnet and continued to terrorize Windows networks.
That is until December 2021, when TrickBot distribution campaigns suddenly ceased.