ITG23 is known primarily for developing the Trickbot banking Trojan, which was first identified in 2016 and initially used to facilitate online banking fraud. Trickbot has evolved in recent years into a modular malware family capable of stealing credentials and moving laterally and is being used for downloading additional backdoors and ransomware such as Ryuk and Conti.

ITG23 is also responsible for developing a prolific loader known as BazarLoader and its most common payload, the BazarBackdoor, which were first identified in April 2020. Trickbot’s developers were also credited with developing the Anchor backdoor.

In September 2020, U.S. Cyber Command worked to disrupt ITG23’s operations by poisoning configuration files on its command-and-control (C2) servers. Microsoft, the following month, announced its own efforts to disrupt ITG23 by taking down a large number of their C2 servers. The gang pivoted its infrastructure and continues to operate in the wild. Most recently, ITG23’s move to expand its malware distribution further demonstrates that it was able to recover from last year’s disruptions and the arrest of an ITG23 developer in February 2021.

As the gang continues to rise, its activity also leads to the potential for more ransomware attacks, particularly using the Conti ransomware, which is also developed by ITG23. Trickbot and BazarLoader infections often lead to the deployment of Ryuk and Conti ransomware; indeed, there has been an increase in Conti ransomware deployments coinciding with the increase in Trickbot and BazarLoader activity.

Other articles in recent months have also discussed ITG23’s continued efforts to upgrade its malware, touching on both its fraud operations and ransomware attacks. Some examples of the upgraded components are its web-inject and Virtual Network Computing modules and possibly the new Diavol ransomware.