Trickbot, a nefarious modular malware that has been evident across multiple cyber attacks throughout 2021, insinuating towards an unprecedented transformation following the prolonged hiatus in the involvement of any new malware campaigns since December 28, 2021. While this abrupt silence is often considered to be unusual & temporary in nature, avoiding any further takedowns maintains a stealthy scrutinized presence, especially from the radars of U.S. Cyber Command, the U.S. Department of Justice & Microsoft.

Security researchers from Intel 471 first observed this confidently speculates that the collaboration with operators of Emotet is also a part of the reason for fueling its big shift towards developing a newer, improved malware platform that perhaps convinced the operators of Trickbot to abandon its existing routes left behind past malware campaigns gradually.

Additionally, this relationship between Trickbot & Emotet is observed, marking the resurrection of Emotet operations after its takedown following the actions of downloading & execution of Emotet samples by Trickbot. "It's likely that the TrickBot operators have phased TrickBot malware out of their operations in favor of other platforms, such as Emotet," researchers stated. "TrickBot, after all, is relatively old malware that hasn't been updated in a major way."

Even though there has been a drastic decrease in the number of operations over time disappearing Trickbot, however, the amount of ransomware deployments of ransomware families linked with Trickbot, such as Conti, has continued. Similar is the case with there command and control infrastructure linked to Trickbot continues to operate normally underneath, serving additional plugins, web injects & additional configurations to bots in the botnet.

Even before this event, Trickbot and Emotet operators had a relationship. Emotet was often used to drop Trickbot samples until the Emotet takedown. These Trickbot samples often had the gtag “morXXX.” The relationship worked both ways: Intel 471 has observed commands from Trickbot controllers to download and execute Emotet long before Emotet’s 2021 return.

Trickbot, which is relatively old malware and hasn’t detected any major developments after several disruptions & alleged takedowns, with higher detection accuracies and also network traffic from bot communication, is easily recognizable as well. All of this convinced the operators of Trickbot to abandon their existing malware, changing the attack tactics and updating their defensive measures with special emphasis on the ongoing association of Emotet.

Another crucial piece of the puzzle is the Bazar malware family, which has developed ties to the Trickbot group. Multiple threat actors leverage this stealthy backdoor to gain an initial foothold into high-value targets and execute follow-up payloads, such as Cobalt Strike and IcedID, aka Bokbot. We have also seen Bazar controllers pushing commands to download and execute Trickbot (mid-2021) and Emotet (November 2021). These events connect Bazar to Trickbot operators, as well as to the revival of Emotet.