Trickbot’s shift to attacks vs Ukraine examined

Ukraine has been targeted by Trickbot malware operators since the Russia-Ukraine war commenced in February, representing a significant shift in the operations of Trickbot, according to The Hacker News. Despite being absorbed by the Conti ransomware group earlier this year, Trickbot also known as ITG23, Wizard Spider, and Gold Blackburn has reemerged weeks later to launch phishing campaigns leveraging Cobalt Strike, AnchorMail, IcedID, and Meterpreter against Ukrainian targets, a report from IBM Security X-Force showed. "ITG23's campaigns against Ukraine are notable due to the extent to which this activity differs from historical precedent and the fact that these campaigns appeared specifically aimed at Ukraine with some payloads that suggest a higher degree of target selection," wrote report author Ole Villadsen. Attacks using AnchorMail, Meterpreter, and Cobalt Strike were launched by Trickbot in April, with Russian state-backed group APT28 also leveraging the nuclear war lure used to spread the AnchorMail implant in attacks in June. "Ideological divisions and allegiances have increasingly become apparent within the Russian-speaking cybercriminal ecosystem this year. These campaigns provide evidence that Ukraine is in the crosshairs of prominent Russian cybercriminal groups," said Villadsen.