Following four years of virulent activity and multiple attempts to take it down, the insidious malware operation known TrickBot has finally been brought down to size and is under brand-new management. The infamous ransomware syndicate known as Conti has taken its top members under its banner and now plans to replace its headline-grabbing malware with a stealthier solution known as BazarBackdoor.

TrickBot’s legacy of chaos

A Windows-based malware platform, TrickBot utilises numerous modules for multiple malicious activities. These include information theft, password harvesting, intruding on Windows domains, offering initial access to enterprise networks and delivering malware payloads. Since 2016, TrickBot has successfully dominated the threat landscape’s malware operators, effectively teaming up with the worst ransomware gangs on the planet. As a result, the malware has wreaked havoc and caused disruption to millions of users and devices around the world.

The Ryuk ransomware outfit initially partnered up with TrickBot specifically for initial access phases of attacks, but it was subsequently replaced by the Conti ransomware group. The gang has now been employing TrickBot malware for over a year to acquire access to a long list of corporate networks.

To date, experts estimate that the gang executing TrickBot campaigns for Conti – an elite cell known by the moniker Overdose – has now made around $200 million from its nefarious activities.

Taking over the TrickBot operation

Cybercrime researchers at Advanced Intelligence (AdvIntel) identified that back in 2021, the Conti gang had become the sole beneficiary of the TrickBot malware’s supply of premier network accesses.

By last year, the main team of developers at TrickBot had already conceived a more subtle piece of malicious software, BazarBackdoor. Employed primarily to achieve remote access into corporate networks and other valuable targets, BazarBackdoor creates an entry point where ransomware can be deployed.

Since TrickBot became easier for antivirus vendors to detect, the threat operators started switching over to BazarBackdoor to cover initial access to network needs, especially as it was developed particularly to stealthily compromise high-level victims.

By the end of last year, the Conti gang managed to attract many managers and elite developers from the TrickBot botnet. As a result, TrickBot assimilated into the Conti ransomware syndicate not as a partner, but as a subsidiary. AdvIntel commented that BazarBackdoor relocated from its placement in the TrickBot malware toolkit to a unique standalone tool, with all subsequent development firmly controlled by Conti.

Malicious operators are constantly revising the methods and mechanics involved in their cybercriminal campaigns to ensure they can still penetrate their target’s defences. As cybersecurity specialists and researchers get wise to malware types and develop solutions to block them, attackers must work hard to create more advanced options that can bypass the latest defences.

Companies who suffer a network attack or data breach must always notify the appropriate authorities and law enforcement agencies. However, they also have a duty to document report their experiences to inform the cybersecurity community and their work in the continuous battle against malicious operators.