Tech Companies Take Down TrickBot Botnet Infrastructure

Microsoft on Monday revealed that it worked together with industry partners to shut down the infrastructure used by TrickBot operators and block efforts to revive the botnet.

The Washington Post reported last week that the U.S. Cyber Command too attempted to hack TrickBot’s C&C servers, in an attempt to take the botnet down to prevent attacks seeking to disrupt the U.S. presidential elections. This is said to have been a separate operation that was not coordinated with Microsoft.

TrickBot emerged in 2016 as a banking Trojan, supposedly from the same group that operated the Dyre Trojan, and has become one of the most prevalent threats out there, with more than one million infected machines all around the world.

Over time, TrickBot has received updates that expanded its capabilities, evolved into a modular threat that ensnared computers into a botnet being offered under a malware-as-a-service model. Both nation-states and criminal networks are believed to have employed it for nefarious purposes.

The network of infected machines has been leveraged in malicious campaigns aimed at stealing credentials and data, and delivering additional malware, such as the Ryuk ransomware.

TrickBot has been distributed in email campaigns that leveraged current events as lures, with malicious documents attached. The attacks targeted a wide range of verticals in numerous regions, Microsoft says. Other distribution methods included lateral movement via Server Message Block (SMB), or deployment via other malware, such as Emotet.

“Over the years we’ve tracked it, Trickbot compromises have been reported in a steady manner, making it one of the largest and longest-lived botnets out there. Trickbot is one of the most prevalent banking malware families, and this malware strain represents a threat for internet users globally,” Jean-Ian Boutin, Head of Threat Research at ESET, explains.

As part of one TrickBot attack, once the victim was enticed to open the malicious attachment, a script was executed to gather system information, perform queries to the affected organization’s domain controller, and gather data about the Active Directory.

Additional payloads were executed to eventually gain control over the affected system, gather information on potentially high-value devices on the network, and move laterally. TrickBot was used to steal credentials from the Windows Vault and Credentials Manager, so that security mechanisms could be evaded. The attackers added the initial script to Startup for persistence.

Microsoft says that its investigation into TrickBot involved the analysis of roughly 61,000 malware samples, which revealed constantly evolving modular capabilities, and support for infecting Internet of Things (IoT) devices.

Various TrickBot modules are meant for banking credentials theft, reconnaissance, data theft, password grabbing, cookies theft, information stealing, point-of-sale reconnaissance, remote control, SMB spreading, Outlook theft, lateral movement, and RDP brute-force.

Microsoft notes that it managed to disrupt TrickBot’s infrastructure “after United States District Court for the Eastern District of Virginia granted our request for a court order to halt Trickbot’s operations.”

The company worked together with industry partners to take action against TrickBot, and received help from the Financial Services Information Sharing and Analysis Center (FS-ISAC), ESET, Lumen’s Black Lotus Labs, NTT, and Broadcom-owned Symantec. Internet service providers (ISPs) and computer emergency readiness teams (CERTs) around the world were also contacted, to help with remediation efforts.

“The court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers,” Microsoft says.

The company expects that TrickBot’s operators will attempt to revive their operation, but says that it will work with its partners to monitor such activities and take further action when necessary. The malware has various fallback mechanisms and its operators are connected to other highly active cybercriminal actors, which made the disruption difficult, ESET notes.

As Symantec explains, the takedown “relied upon intellectual-property laws to effectively evict the botnet operators from the command-and-control servers they need to maintain access to victim machines.”

Related: More Links Found Between North Korean and Russian Hacking Operations

Related: RDP-Capable TrickBot Targets Telecoms Sectors in U.S. and Hong Kong