Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

TrickBot Botnet Survives Takedown Attempt

The TrickBot botnet appears to have resumed normal operations days after Microsoft announced that it managed to take it down using legal means. 

The TrickBot botnet appears to have resumed normal operations days after Microsoft announced that it managed to take it down using legal means. 

On October 12, Microsoft and several partners announced that they were able to disrupt the TrickBot infrastructure by legally disabling IP addresses, making servers inaccessible and suspending services employed by the botnet. The effort was also aimed at preventing operators from registering new infrastructure. 

Only three days after the announcement, however, security researchers with Intel 471 revealed that the botnet has resumed operations, despite Microsoft’s takedown attempt and efforts from the U.S. Cyber Command to hack TrickBot’s servers. 

On October 14, the Emotet botnet began distributing malicious Word documents meant to download and execute a copy of Emotet. The Emotet bots, the researchers say, received commands to fetch and run Trickbot on victim machines.

Intel 471 also notes that the Trickbot plugin server configuration file has received an update which added fifteen server addresses and retained two old servers, along with the server’s .onion address. 

The change, the researchers believe, was likely performed as a fix that would ensure that the botnet’s infrastructure remains operational. 

“The fact that Trickbot has resumed normal operations despite the best efforts of U.S. Cyber Command and Microsoft shows how resilient of an operation Trickbot is and how much more effort is needed to fully take the botnet offline for good,” Intel 471 said. 

The researchers, who have been tracking the botnet’s activity for months, assess that TrickBot’s operators have IT support that any legitimate enterprise takes advantage of, including automated deployment, backups, continuity planning, and a dedicated team behind, which allows them to react to disruptions fast. 

Advertisement. Scroll to continue reading.

“About 10 years ago it was much easier to completely take over or significantly disrupt a botnet, but cybercriminals are students of takedowns and have learned to make their operations more resilient to takedown efforts. That’s why every takedown attempt has some potential of giving ground to the adversary. You’re teaching them where the weaknesses in their armor are and they have a team of developers ready to act on that information. So unless you strike a killing blow, you’re not going to impact them long term,” Intel 471 COO Jason Passwaters said. 

To fully disrupt TrickBot, the researchers say, a multi-prolonged effort is needed. Multinational law enforcement support with focus on arresting operators, an aim at the botnet’s main infrastructure, and tight collaboration between governments and the private sector for de-infection are required for a successful takedown. 

Related: Tech Companies Take Down TrickBot Botnet Infrastructure

Related: More Links Found Between North Korean and Russian Hacking Operations

Related: RDP-Capable TrickBot Targets Telecoms Sectors in U.S. and Hong Kong

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this in-depth briefing on how to protect executives and the enterprises they lead from the growing convergence of digital, narrative, and physical attacks.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Life360 has appointed Vari Bindra, former Amazon cybersecurity lead, as Chief Information Security Officer.

Forcepoint has appointed Guy Shamilov as CISO, Bakshi Kohli as CTO and Naveen Palavalli as CPO and CMO.

Paul Calatayud has been named CISO of developer security posture management firm Archipelo.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.