The Trickbot botnet appears to be making a comeback this month with a fresh campaign that is targeting insurance companies and legal firms in North America, according to an analysis published Friday by Menlo Security.
While the phishing campaign that started Jan. 12 contains some of the hallmarks of a Trickbot campaign, Vinay Pidathala, director of security research at Menlo Security, says more analysis is needed to fully confirm that that botnet is active again and able to target new victims.
In October 2020, Microsoft led a coalition of security researchers and U.S. federal agencies in an effort to disrupt Trickbot’s operation and dismantle its infrastructure. And while initially successful at taking down the botnet, analysts warned that its operators would likely rebuild its malicious network (see: Trickbot Rebounds After ‘Takedown’ ).
While the campaign that Menlo Security is tracking appears to show that Trickbot is making a comeback, Pidathala notes that the scale of the attacks is smaller earlier campaigns associated with the botnet.
“This activity is trickling in and is definitely not at the scale at which it was before,” Pidathala says. “Attackers are pretty motivated, so it was not too much of a surprise to see these attackers restore their campaign activity. If this activity will regain its past scale and numbers is something that can only be answered in due time.”
In the phishing campaign that Menlo Security discovered, the researchers found messages that contained a malicious URL link. This is different from other Trickbot attacks that typically used an attached Word document as part of the initial compromise.
When Menlo Security researchers examined the URL used in the initial phishing email and the IP address of the command-and-control server, they discovered that both have connections to previous attacks associated with Trickbot.
A Trickbot Comeback?
While security experts praised Microsoft and other efforts to dismantle and disrupt Trickbot, they also noted that eliminating a botnet of this size is difficult. With enough time, its operators are likely to find ways to rebuild the network.
“There is nothing that prevents the same bad actor from using the same tools and the same operating model to effectively rebuild their footprint,” Oliver Tavakoli, CTO at security firm Vectra, notes. “In general, takedowns end up being temporary setbacks for the parties running a botnet and provide temporary relief to the good guys.”
Dirk Schrader, global vice president at security firm New Net Technologies, says law enforcement actions are less effective because they do not address the root problem of operations such as Trickbot.
“Technical or legal approaches will always fall short, as there will be a different way to keep botnets active and effective, or the legal approach is lacking effectiveness due to different laws in countless countries,” Schrader says. “It might work for intermediaries, but not at the root level. These inadequacies do help cybercrime groups to stay in the business.”
Trickbot first appeared as a banking Trojan in 2016, but it steadily evolved into a botnet that could deliver other malicious code such as ransomware. Before the Microsoft takedown in October 2020, the botnet was closely associated with Ryuk ransomware (see: Ryuk Ransomware Profits: $150 Million).
A month after Microsoft and others announced the Trickbot takedown, security firms began noticing new signs of life associated with the botnet. Security firm Bitdefender, for example, published a report that found Trickbot had rolled out an updated version of the botnet that made the malware more difficult to kill (see: Updated Trickbot Malware Is More Resilient ).
Earlier this week, Europol and other law enforcement agencies announced that they had disrupted Emotet, another botnet that had been closely associated with Trickbot for several years (see: Emotet, Ryuk, TrickBot: ‘Loader-Ransomware-Banker Trifecta’).
Pidathala notes that the recent legal actions against both Trickbot and now Emotet could be a reason why the Trickbot operators began switching some tactics, such as using a malicious link instead of a document as part of the initial phishing email.
“Emotet was quite popularly used as the delivery mechanism for Trickbot malware,” Pidathala says. “Emotet predominantly used Microsoft Word documents to drop the Trickbot payloads. The takedown of Emotet could’ve played a role in why Trickbot used a web payload instead of a Word document.”
Managing Editor Scott Ferguson contributed to this report.
This content was originally published here.