IBM Security X-Force throws light on Russian cybercriminal syndicate Trickbot group attacking Ukraine

IBM Security X-Force has uncovered evidence indicating that the Russia-based cybercriminal syndicate ‘Trickbot group’ has been systematically attacking Ukraine since the Russian invasion. The attacks marked an unprecedented shift as the group had not previously targeted Ukraine and came following ongoing research by the team.

“Between mid-April and mid-June of 2022 the Trickbot group, tracked by X-Force as ITG23 and also known as Wizard Spider, DEV-0193, and the Conti group, has conducted at least six campaigns — two of which have been discovered by X-Force — against Ukraine, during which they deployed IcedID, CobaltStrike, AnchorMail, and Meterpreter,” the researchers wrote in a blog post on Thursday. “Prior to the Russian invasion, ITG23 had not been known to target Ukraine, and much of the group’s malware was even configured to not execute on systems if the Ukrainian language was detected,” they added.

The research said that X-Force analysts had investigated at least six ITG23 campaigns specifically targeting Ukraine between mid-April and mid-June. Four of these campaigns have been disclosed by CERT-UA, which tracks them under the group name UAC-0098, while this analysis introduces two newly uncovered campaigns by X-Force, it added.

The Trickbot group campaigns against Ukraine are notable due to the extent to which this activity differs from historical precedent and the fact that these campaigns appeared specifically aimed at Ukraine with some payloads that suggest a higher degree of target selection. 

“ITG23 is a financially motivated cybercriminal gang known primarily for developing the Trickbot banking Trojan, which was first identified in 2016; since that time the group has used its payloads to gain a foothold in victim environments for ransomware attacks, including Ryuk, Conti, and Diavol,” IBM said. “The systematic attacks observed against Ukraine include reported and suspected phishing attacks against Ukrainian state authorities, Ukrainian individuals and organizations, and the general population. Successful attacks that resulted in data theft or ransomware would provide ITG23 with additional extortion opportunities, and particularly damaging attacks could harm Ukraine’s economy,” it added.

X-Force assesses that the Trickbot group is controlling the delivery of the emails and malware and that independent distribution affiliates do not execute them. “None of these campaigns are consistent with the techniques that known ITG23 third-party distribution affiliates are using to deliver the payloads to their targets. In 2021, X-Force analysts tracked several campaigns that were probably carried out directly by ITG23 personnel,” the research added.

Three of the six campaigns use a malicious Excel downloader that has not been observed in other campaigns, while two campaigns use ISO image files to distribute the payloads; these ISO files probably are created by a boutique ISO builder that has supplied previous campaigns delivering ITG23 payloads. 

Furthermore, five of the six campaigns directly download CobaltStrike, Meterpreter, or AnchorMail onto the target machine. Typically, these payloads are downloaded later during infections commencing with malware such as Trickbot, Emotet, or IcedID, suggesting these attacks are part of targeted campaigns during which ITG23 is willing to deploy higher-value backdoors immediately.

“The CobaltStrike and IcedID payloads, which were used in four of the six campaigns, all use ITG23’s Tron, Hexa, or Forest crypters,” the research said. “The presence of an ITG23 crypter with a sample is a strong indication that its developer, distributor, or operator may either be part of ITG23 or has a partnership with the group. Crypters are applications designed to encrypt and obfuscate malware to evade analysis by antivirus scanners and malware analysts,” it added.

ITG23 activity has previously avoided Ukrainian targets, the X-Force analysts said. “Russian-speaking criminal underground communities have long generally discouraged if not outright banned going after former Soviet countries and—while not relevant to Ukraine—members of the Commonwealth of Independent States (CIS). This code of conduct likely came about to avoid creating victims in malware operators’ countries of residence, in large part to avoid antagonizing law enforcement,” they added. 

The research also added the benefit of encouraging Russian-speaking criminal cooperation based on a shared sense of us-versus-the-rest solidarity. According to an indictment released by the U.S. Department of Justice (DOJ) in 2021, ITG23 (the group behind Trickbot) operated in multiple former Soviet countries, including Belarus, Russia, and Ukraine. However, this year, ideological divisions and allegiances have become apparent within the Russian-speaking cybercriminal ecosystem, with ITG23 as a primary case study. 

Conti Ransomware group declared a pro-Russian stance early in the conflict, stating their commitment to attack entities that would oppose Moscow. The ContiLeaks, which exposed message logs and other files exchanged between members of ITG23, were reportedly obtained and leaked by a Ukrainian researcher.

The X-Force analysts said that the observed activities highlight a trend of this group choosing targets that align with Russian state interests against the ongoing conflict. For example, in addition to an announcement by the Conti Ransomware group (which IBM tracks as part of ITG23) that they would act in support of Russian state interests at the beginning of the invasion of Ukraine, leaked chats between ITG23 members indicated that two senior individuals within the group had previously discussed in mid-April 2021 the targeting of entities that ‘work against the Russian Federation’ and agreed that they were (Russian) ‘patriots.’ Additionally, the Executive Director of Bellingcat claimed to have received a tip that a cybercriminal group communicated with Russia’s Federal Security Service (FSB).

The X-Force researchers also said that although “we have yet to observe similar activity on a wider scale, these campaigns provide evidence that Ukraine is in the crosshairs of prominent Russian cybercriminal groups. Ukraine has been targeted with a wide variety of cyber activity leading up to and since the invasion, including distributed-denial-of-service (DDoS) attacks and defacements and attempted destructive activity attributed to Russian state-sponsored actors,” they added.

While investigating these campaigns, X-Force analysts also spotted new malware and tools being used by ITG23: a malicious Excel downloader used to deliver the payloads, a self-extracting archive (SFX) designed to drop and build ITG23 payloads such as AnchorMail, and a malware crypter X-Force has dubbed ‘Forest,’ the post said. “Of note, the Forest crypter has also been used with the Bumblebee malware, providing further evidence that ITG23 is behind Bumblebee. In this article, we provide details on the six campaigns we identified and describe the new malware and tools used during these attacks,” it added.

The X-Force analysts have called upon organizations to ensure that anti-virus software and associated files are up to date, search for existing signs of the indicated IOCs in their environment, and consider blocking and/or setting up detection for all URL IP-based IOCs. They also advised keeping applications and operating systems running at the current released patch level, not installing unapproved apps on a device that has access to the corporate network, and exercising caution with attachments and links in emails.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.