ITG23

Threat Actor Profile Updated 24 days ago
Download STIX
Preview STIX
ITG23, also known as the Trickbot/Conti syndicate, is a significant threat actor that has been active since 2016 in the East European cybercrime arena. This group is renowned for its use of Reflective DLL Injection code in many of its crypters, with the presence of these crypters on a file sample being a strong indication of ITG23 involvement or partnership. In addition to this, ITG23 has adapted to the evolving ransomware economy through the creation of Conti ransomware-as-a-service (RaaS) and the deployment of BazarLoader and Trickbot payloads to establish a foothold for ransomware attacks. The group has also collaborated with other notable affiliates such as Hive0107 to distribute Trickbot and BazarLoader. Since late February 2023, former members of ITG23 have been observed using Dave Loader with Domino Backdoor during their campaigns. This suggests a level of collaboration between ITG23 and other groups, possibly including current or former ITG14 developers. These campaigns may be delivered by threat actors using the handles ‘Netwalker’ and ‘Cherry,’ who are believed to be working within the ITG23 organization. However, it remains unclear whether ITG23 itself controls the delivery of these malicious emails or if they are independently distributed by other affiliates like Hive0106 and Hive0107. Significantly, ITG23 has formed partnerships with spam powerhouse Hive0106, also known as TA551, and consistently effective payload distributor Hive0105. During the summer, ITG23 partnered with Hive0107 to distribute Trickbot and BazarLoader. Furthermore, ITG23 operatives are reportedly collaborating with the threat actor Zeus on matters related to these campaigns, which might explain the derivation of 'zev,' 'zem,' and 'zvs' gtag names. Notably, some IBM researchers have identified files delivering malware unrelated to ITG23, such as the Zeppelin ransomware, indicating a complex and evolving threat landscape.
What's your take? (Question 1 of 5)
964dd2a8-ac46-41ef-9999-da92381b8096 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
TA551
2
TA551, also known as Hive0106, Shathak, and UNC2420, is a financially motivated threat group that has been active in the cybercrime landscape. This threat actor has been linked to various malware distribution activities, including those involving QakBot, IcedID, Emotet, Bumblebee, Gozi, and other ma
Wizard Spider
2
Wizard Spider, also known as ITG23, DEV-0193, or the "Trickbot Group", is a prominent threat actor group that has been continually analyzed by IBM Security X-Force researchers. This cybercriminal organization is credited with creating the notorious and ever-evolving TrickBot malware and is known for
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Trojan
Payload
Ransomware
Loader
Fraud
RaaS
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ContiUnspecified
2
Conti is a malware program known for its disruptive capabilities, including stealing personal information and holding data hostage for ransom. It gained notoriety as part of the arsenal of ITG23, a cybercrime group that used it in conjunction with other malicious software like Trickbot, BazarLoader,
TrickBotUnspecified
2
TrickBot is a notorious malware that has gained prominence due to its destructive capabilities. This malicious software, designed to exploit and damage computer systems, infiltrates devices through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, TrickBot c
BazarloaderUnspecified
2
BazarLoader is a form of malware that has been utilized extensively by ITG23, a cybercriminal group. This harmful software infiltrates systems via suspicious downloads, emails, or websites, potentially stealing personal information, disrupting operations, or holding data for ransom. ITG23 has used B
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Hive0106Unspecified
2
Hive0106, also known as TA551, is a notable threat actor recognized for its association with ITG23, another prominent entity in the cybercrime landscape. This partnership has been observed since mid-2021 by X-Force, a cybersecurity firm. Hive0106's primary role is as a distribution affiliate, delive
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the ITG23 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
SecurityIntelligence.com
6 months ago
ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
SecurityIntelligence.com
a year ago
The Trickbot/Conti Crypters: Where Are They Now?
MITRE
6 months ago
Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds
SecurityIntelligence.com
a year ago
Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
SecurityIntelligence.com
a year ago
Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
CERT-EU
a year ago
BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising
SecurityIntelligence.com
a year ago
RansomExx Upgrades to Rust