X-Force also observed the analyzed crypters used repeatedly by Emotet and IcedID malware samples, indicating ITG23 is also crypting malware for these groups. X-Force found evidence that ITG23 by mid-2021 scaled up their efforts to crypt malware with the development of several new crypters and the construction of a Jenkins build server to automate the crypting of malware at scale. ![]() The presence of one of these crypters on a file sample is a strong indication that its developer, distributer, or operator is either a part of ITG23 or has a partnership with the group. X-Force analyzed thirteen crypters that have all been used with malware built or operated by ITG23 internal teams or third-party distributors - including Trickbot, BazarLoader, Conti, and Colibri - as well as malware developed by other groups such as Emotet, IcedID, Qakbot, and MountLocker. The use of crypters allows malware developers to easily experiment with different methods of evading antivirus detection without having to make changes to the malware itself. Crypters generally operate by encrypting the pre-compiled malware payload and embedding it within a secondary binary, known as a stub, which contains code to decrypt and execute the malicious payload. The results of this research, along with evidence gained from the disclosure of internal ITG23 chat logs (“ Contileaks”), provide new insight into the connections and cooperation between prominent cybercriminal groups whose attacks often lead to ransomware.Ĭrypters are applications designed to encrypt and obfuscate malware to evade analysis by antivirus scanners and malware analysts. IBM Security X-Force researchers have continually analyzed the use of several crypters developed by the cybercriminal group ITG23, also known as Wizard Spider, DEV-0193, or simply the “Trickbot Group”.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |