Ukraine Attacked by Trickbot Group

Industry: N/A | Level: Tactical | Source: IBM

IBM Security X-Force has identified activity from the Trickbot group actively targeting Ukraine since the Russian invasion. The group was not known to target Ukraine prior to the conflict, however from mid-April to mid-June, the group initiated at least six campaigns against Ukraine. The group's focus has aligned with those of Russian state interests. IBM Security X-Force notes the group's deviation in typical targets to be of interest as "the extent to which this activity differs from historical precedent and the fact that these campaigns appeared specifically aimed at Ukraine with some payloads that suggest a higher degree of target selection." Trickbot group has carried out several phishing campaigns "against Ukrainian state authorities, Ukrainian individuals and organizations, and the general population." The phishing emails from the six observed campaigns either use Excel or ISO to deliver malicious payloads such as IcedID, AnchorMail Backdoor, Cobalt Strike, and Meterpreter.

Anvilogic Scenario:

• Malicious Document Delivering Malware

Anvilogic Use Cases:

• Malicious Document Execution
• Meterpreter Reverse Shell
• Cobalt Strike Beacon
• Rundll32 Command Line
• Executable Create Script Process