CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



TrickBot Gets Updated to Survive Takedown Attempts

Following a takedown attempt in October, the TrickBot malware has received various improvements that are designed to make it more resilient.

Following a takedown attempt in October, the TrickBot malware has received various improvements that are designed to make it more resilient.

On October 12, Microsoft announced that, together with several partners, it managed to legally disable existing TrickBot infrastructure and prevent operators from registering additional command and control (C&C) domains.

Soon after, however, the malware was seen continuing operations normally, and security researchers reported that even malware relying on TrickBot’s botnet, such as Ryuk ransomware, was largely unaffected by the operation.

The takedown attempt, however, did have a major impact on the botnet, as most of the C&C servers were down about one week after the takedown. At the time, Microsoft underlined that the effort was aimed at keeping TrickBot down during the U.S. presidential election.

Now, roughly one month later, security researchers are observing multiple updates being made to TrickBot to increase the botnet’s resilience and improve its reconnaissance capabilities.

The newer versions of the Trojan maintain the modules seen in previous versions, thus featuring unmodified capabilities. However, the operators are now using packed modules only, and are also digitally signing update responses, likely in an attempt to prevent future takedowns.

The malware’s version number has been bumped from 1000513 all the way to 2000016, and the new behavior, which ensures that newly deployed updates are legitimate, is characteristic to this variant.

What’s more, the malware operators appear to have switched to using MikroTik routers as C&C servers, and were observed using an EmerDNS domain as a backup server. According to Bitdefender, the same EmerCoin key used to administer the server is also employed in the administration of C&C servers for the Bazar backdoor.

Advertisement. Scroll to continue reading.

The list of plugin server configurations has seen modifications as well, with Tor plugin services being eliminated and new <psrva> tags (likely obfuscated IPs) added. The Bazar backdoor uses a similar technique.

The new version of the malware appears to have been used mainly in attacks on systems in Malaysia, the United States, Romania, Russia, and Malta.

Another change observed in TrickBot, this time by Advanced Intel security researcher Vitali Kremez, is the adoption of a fileless DLL loading method copied from the MemoryModule library.

The researcher also noticed the inclusion within TrickBot of a new reconnaissance module called LightBot, which allows the operators to identify targets of interest within the victim’s network. Capable of achieving persistence, LightBot is likely used to identify Ryuk ransomware targets, the researcher says.

“Completely dismantling TrickBot has proven more than difficult, and similar operations in the past against popular Trojans has proven that the cybercriminal community will always push to bring back into operation something that’s profitable, versatile and popular. TrickBot might have suffered a serious blow, but its operators seem to be scrambling to bring it back, potentially more resilient and difficult to extirpate than ever before,” Bitdefender points out.

Related: Microsoft Says Most TrickBot Servers Are Down

Related: Ryuk Ransomware Attacks Continue Following TrickBot Takedown Attempt

Related: TrickBot Botnet Survives Takedown Attempt

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...