GOLD BLACKBURN

GOLD BLACKBURN is a financially motivated cybercriminal threat group responsible for the creation, distribution, and operation of the TrickBot botnet until it was abandoned in March 2022. GOLD BLACKBURN has also operated and distributed the Anchor, BazarLoader (Team9), Reserlo (GRIMAGENT), and Buer Loader malware families. TrickBot was a highly capable, modular malware family distributed from August 2016 through December 2021, and is assessed with high confidence to be a direct descendant of the Dyre banking malware that emerged in June 2014 and was disrupted by Russian law enforcement intervention in November 2015. GOLD BLACKBURN operated TrickBot using an affiliate model, leading to disparate and independently operated groups distributing the TrickBot malware through numerous infection vectors or leveraging access to compromised machines to drop additional payloads. GOLD BLACKBURN voluntarily abandoned the TrickBot botnet on March 1, 2022 after months of internal deliberation about its waning effectiveness but retains the capability to reconstitute the botnet at any time.

In early 2018, GOLD BLACKBURN began designing additional modules allowing TrickBot to perform automated host and network enumeration, credential theft and exfiltration, and spreading within the local network. In March 2020 GOLD BLACKBURN began distributing a new malware family BazarLoader through direct spam campaigns. The BazarLoader botnet was voluntarily shutdown in February 2022 after extensive details of its operation were leaked along with chat logs from the GOLD ULRICK threat group. From August 2018 through early 2022, malware distributed and operated by GOLD BLACKBURN was the near exclusive initial access vector (IAV) facilitating Ryuk or Conti ransomware attacks by GOLD ULRICK. From October 2019 to early 2020, TrickBot was used by the GOLD DUPONT threat group as the IAV for installing Cobalt Strike and the 777 (Defray777) ransomware.