The TrickBot ransomware gang, which developed the Conti ransomware and BazarLoader, has strengthened its distribution arsenal with the inclusion of new affiliates Hive0106, or TA551, and Hive0107, Threatpost
"Earlier this year, [the TrickBot gang
] primarily relied on email campaigns delivering Excel documents and a call-center ruse known as BazarCall to deliver its payloads to corporate users. However…the new affiliates have added the use of hijacked email threads and fraudulent website customer-inquiry forms. This move not only increased the volume of its delivery attempts but also diversified delivery methods with the goal of infecting more potential victims than ever," said IBM X-Force researchers.
Conti ransomware attacks have risen since the addition of the new affiliates. Researchers discovered that Hive0106 has spread TrickBot malware through email thread hijacking, which is also used by the Emotet ransomware gang, since June, according to the report.
Meanwhile, Hive0107 began distributing TrickBot aimed at organizations in the US, Canada and Europe in May after spreading the IcedID trojan in the first six months of the year.