Two weeks after someone (allegedly the US Cyber Command) temporarily interrupted the operation of the infamous Trickbot botnet, a coalition of tech companies headed by Microsoft has struck a serious blow against its operators.
“We disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world. We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems,” shared Tom Burt, corporate VP, Customer Security and Trust, Microsoft.
About Trickbot and the Trickbot botnet
Trickbot, which dates back to 2016, was originally a banking trojan, but due to its modular nature it is now capable of much more: gathering saved and entered credentials, browser histories, network and system information, installing a backdoor, harvesting email addresses, running various commands on a Windows domain controller to steal Active Directory credentials, launching brute force attacks against selected Windows systems running a RDP connection exposed to the Internet, and downloading and loading ransomware on the infected computer.
The malware is often delivered through spam and spear phishing campaigns, and occasionally through the Emotet botnet.
“In recent times, Trickbot has been implicated in targeted ransomware attacks, where credentials stolen by the malware were used by the Ryuk ransomware operators to compromise victims’ networks and encrypt all accessible computers. This assessment has been confirmed by Europol, which recently noted that ‘the relationship between Emotet [another botnet], Ryuk and Trickbot is considered one of the most notable in the cybercrime world’,” Symantec (Broadcom) researchers noted.
“Trickbot has infected over a million computing devices around the world since late 2016. While the exact identity of the operators is unknown, research suggests they serve both nation-states and criminal networks for a variety of objectives,” Burt explained, and noted that beyond infecting end user computers, Trickbot has also infected a number of IoT devices, such as routers.
Since late September, Trickbot has been hit twice by (then-unknown) attackers.
According to Brian Krebs, they first pushed out a new configuration file to Windows computers infected with Trickbot, instructing them to consider 127.0.0.1 (a “localhost” address) their new control server.
A week later, they did it again, but at the same time, “someone stuffed the control networks that the Trickbot operators use to keep track of data on infected systems with millions of new records,” apparently in an attempt to “dilute the Trickbot database and confuse or stymie the Trickbot operators.”
These efforts, which were subsequently revealed to have been mounted by the US Cyber Command, did not permanently affect the botnet.
But the technical and legal efforts lead by Microsoft and supported by FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT and Broadcom’s Symantec division are expected to considerably affect the botnet’s operation.
After gathering enough information about the botnet’s operation and C&C servers, Microsoft went to the United States District Court for the Eastern District of Virginia, which then court granted approval for Microsoft and partners to “disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers.”
The operation will be followed by further action by ISPs and CERTs around the world, who will attempt to reach Trickbot victims and help them remove the malware from their systems.
“This action also represents a new legal approach that our DCU is using for the first time. Our case includes copyright claims against Trickbot’s malicious use of our software code. This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place,” Burt pointed out.
“While our work might not remove the threat posed by TrickBot, it will raise the cost of doing business for the criminal gang behind the botnet because they will be forced to divert resources away from exploitation activities in order to rebuild the parts of their infrastructure that we disrupted,” the Black Lotus Labs team noted.
This content was originally published here.