ITG23

Threat Actor updated 7 months ago (2024-05-04T20:34:53.613Z)

Download STIX

Preview STIX

ITG23, also known as the Trickbot/Conti syndicate, is a significant threat actor that has been active since 2016 in the East European cybercrime arena. This group is renowned for its use of Reflective DLL Injection code in many of its crypters, with the presence of these crypters on a file sample being a strong indication of ITG23 involvement or partnership. In addition to this, ITG23 has adapted to the evolving ransomware economy through the creation of Conti ransomware-as-a-service (RaaS) and the deployment of BazarLoader and Trickbot payloads to establish a foothold for ransomware attacks. The group has also collaborated with other notable affiliates such as Hive0107 to distribute Trickbot and BazarLoader. Since late February 2023, former members of ITG23 have been observed using Dave Loader with Domino Backdoor during their campaigns. This suggests a level of collaboration between ITG23 and other groups, possibly including current or former ITG14 developers. These campaigns may be delivered by threat actors using the handles ‘Netwalker’ and ‘Cherry,’ who are believed to be working within the ITG23 organization. However, it remains unclear whether ITG23 itself controls the delivery of these malicious emails or if they are independently distributed by other affiliates like Hive0106 and Hive0107. Significantly, ITG23 has formed partnerships with spam powerhouse Hive0106, also known as TA551, and consistently effective payload distributor Hive0105. During the summer, ITG23 partnered with Hive0107 to distribute Trickbot and BazarLoader. Furthermore, ITG23 operatives are reportedly collaborating with the threat actor Zeus on matters related to these campaigns, which might explain the derivation of 'zev,' 'zem,' and 'zvs' gtag names. Notably, some IBM researchers have identified files delivering malware unrelated to ITG23, such as the Zeppelin ransomware, indicating a complex and evolving threat landscape.

Description last updated: 2024-05-04T17:02:02.624Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Conti is a possible alias for ITG23. Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. Often spreading through suspicious downloads, emails, or websites, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notably, Conti was linked to several ra	2
TA551 is a possible alias for ITG23. TA551, also known as Hive0106, Shathak, and UNC2420, is a financially motivated threat group that has been active in the cybercrime landscape. This threat actor has been linked to various malware distribution activities, including those involving QakBot, IcedID, Emotet, Bumblebee, Gozi, and other ma	2
Wizard Spider is a possible alias for ITG23. Wizard Spider, also known as ITG23, DEV-0193, Trickbot Group, Fin12, and Grimspider, is a prominent cybercrime group. As per IBM Security X-Force's research, this threat actor is responsible for developing several crypters and has been expanding the number and variety of channels it uses to distribu	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Trojan

Payload

Ransomware

Loader

Fraud

RaaS

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The TrickBot Malware is associated with ITG23. TrickBot is a notorious malware developed by cybercriminals to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software can steal personal information, disrupt operations, or even hold data hostage for ransom. Vladimir Dunaev,	Unspecified	2
The Bazarloader Malware is associated with ITG23. BazarLoader is a type of malware developed by the TrickBot group, primarily used to gain initial access to a victim's infrastructure in ransomware attacks. This malware has been associated with various threat groups, including ITG23, which has used BazarLoader alongside other malware like Trickbot a	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Hive0106 Threat Actor is associated with ITG23. Hive0106, also known as TA551, is a notable threat actor recognized for its association with ITG23, another prominent entity in the cybercrime landscape. This partnership has been observed since mid-2021 by X-Force, a cybersecurity firm. Hive0106's primary role is as a distribution affiliate, delive	Unspecified	2

Source Document References

Information about the ITG23 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
MITRE	a year ago	Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds
SecurityIntelligence.com	2 years ago	RansomExx Upgrades to Rust
SecurityIntelligence.com	a year ago	ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
SecurityIntelligence.com	2 years ago	Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
CERT-EU	a year ago	BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising
SecurityIntelligence.com	2 years ago	Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
SecurityIntelligence.com	a year ago	The Trickbot/Conti Crypters: Where Are They Now?