ITG23 have been crypting their malware for several years, and crypters used by the group were regularly seen in use with malware such as Trickbot, Emotet, Cobalt Strike and Ryuk. One of these support groups within ITG23 is dedicated to developing crypters for use with the group’s own malware operations as well as for several other groups. ITG23 is best thought of as a group of groups, not unlike a large corporation, who report to common “upper management” and share infrastructure and support functions, such as IT and human resources. ITG23 also adapted to the ransomware economy by using its payloads to gain a foothold in victim environments for ransomware attacks and developing and operating the Conti and Diavol RaaS operations. The group since that time expanded its operations to develop and operate new malware such as BazarLoader and Anchor. ITG23 is a cybercriminal gang known primarily for developing the Trickbot banking Trojan, which was first identified in 2016 and initially used to facilitate online banking fraud. A Tangled Web They Weave ITG23’s “Build Machine” ![]() X-Force’s analysis of these crypters has also uncovered a previously undisclosed relationship between the IcedID group and MountLocker ransomware-as-a-service (RaaS) operation. These findings add to a growing body of evidence indicating a close relationship between ITG23 and the threat actors behind the development and operation of IcedID and Emotet.Īdditionally, X-Force uncovered that at least one ITG23 crypter has been used repeatedly since late February 2022 with the Qakbot banking trojan and at least once with the Gozi banking trojan likely delivered by the ITG23 distribution affiliate TA551 (tracked by X-Force as Hive0106). X-Force also observed the analyzed crypters used repeatedly by Emotet and IcedID malware samples, indicating ITG23 is also crypting malware for these groups. X-Force found evidence that ITG23 by mid-2021 scaled up their efforts to crypt malware with the development of several new crypters and the construction of a Jenkins build server to automate the crypting of malware at scale. The presence of one of these crypters on a file sample is a strong indication that its developer, distributer, or operator is either a part of ITG23 or has a partnership with the group. X-Force analyzed thirteen crypters that have all been used with malware built or operated by ITG23 internal teams or third-party distributors - including Trickbot, BazarLoader, Conti, and Colibri - as well as malware developed by other groups such as Emotet, IcedID, Qakbot, and MountLocker. The use of crypters allows malware developers to easily experiment with different methods of evading antivirus detection without having to make changes to the malware itself. Crypters generally operate by encrypting the pre-compiled malware payload and embedding it within a secondary binary, known as a stub, which contains code to decrypt and execute the malicious payload. The results of this research, along with evidence gained from the disclosure of internal ITG23 chat logs (“ Contileaks”), provide new insight into the connections and cooperation between prominent cybercriminal groups whose attacks often lead to ransomware.Ĭrypters are applications designed to encrypt and obfuscate malware to evade analysis by antivirus scanners and malware analysts. ![]() ![]() IBM Security X-Force researchers have continually analyzed the use of several crypters developed by the cybercriminal group ITG23, also known as Wizard Spider, DEV-0193, or simply the “Trickbot Group”.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |