TrickBot, the notorious Windows crimeware-as-a-service (CaaS) solution used by several threat actors to distribute next-stage payloads like ransomware, looks to be in the midst of a transition, with no new activity since the beginning of the year. 

Researchers at Intel 471 stated in a study provided with The Hacker News that the slowdown in malware activities is partially due to a huge shift by Trickbot's operators, including working with the operators of Emotet. Even as the malware's command-and-control (C2) infrastructure continued to serve additional plugins and web injects to infected nodes in the botnet, the last round of TrickBot attacks was recorded on December 28, 2021. 

Surprisingly, the drop in campaign volume has coincided with the TrickBot gang collaborating closely with the operators of Emotet, which resurfaced late last year after a 10-month break due to law enforcement efforts to combat the malware. The attacks, which began in November 2021, comprised an infection sequence that utilized TrickBot to download and execute Emotet binaries, whereas Emotet binaries were frequently used to drop TrickBot samples previous to the shutdown. 

The researchers stated, "It's likely that the TrickBot operators have phased TrickBot malware out of their operations in favour of other platforms, such as Emotet. TrickBot, after all, is relatively old malware that hasn't been updated in a major way." 

Additionally, immediately after Emotet's comeback in November 2021, Intel 471 discovered instances of TrickBot sending Qbot installs to the infected systems, highlighting the possibility of a behind-the-scenes shake-up to relocate to other platforms. With TrickBot becoming more visible to law enforcement in 2021, it's not unexpected that the threat actor behind it is actively working to change tactics and modify their protective mechanisms. 

"Perhaps a combination of unwanted attention to TrickBot and the availability of newer, improved malware platforms has convinced the operators of TrickBot to abandon it. We suspect that the malware control infrastructure (C2) is being maintained because there is still some monetization value in the remaining bots," the researchers added.

According to a separate investigation published last week by Advanced Intelligence (AdvIntel), the Conti ransomware group is thought to have acqui-hired several elite TrickBot developers to deactivate the malware and replace it with improved variations like BazarBackdoor.