Following a takedown attempt in October, the TrickBot malware has received various improvements that are designed to make it more resilient.
On October 12, Microsoft announced that, together with several partners, it managed to legally disable existing TrickBot infrastructure and prevent operators from registering additional command and control (C&C) domains.
Soon after, however, the malware was seen continuing operations normally, and security researchers reported that even malware relying on TrickBot’s botnet, such as Ryuk ransomware, was largely unaffected by the operation.
The takedown attempt, however, did have a major impact on the botnet, as most of the C&C servers were down about one week after the takedown. At the time, Microsoft underlined that the effort was aimed at keeping TrickBot down during the U.S. presidential election.
Now, roughly one month later, security researchers are observing multiple updates being made to TrickBot to increase the botnet’s resilience and improve its reconnaissance capabilities.
The newer versions of the Trojan maintain the modules seen in previous versions, thus featuring unmodified capabilities. However, the operators are now using packed modules only, and are also digitally signing update responses, likely in an attempt to prevent future takedowns.
The malware’s version number has been bumped from 1000513 all the way to 2000016, and the new behavior, which ensures that newly deployed updates are legitimate, is characteristic to this variant.
What’s more, the malware operators appear to have switched to using MikroTik routers as C&C servers, and were observed using an EmerDNS domain as a backup server. According to Bitdefender, the same EmerCoin key used to administer the server is also employed in the administration of C&C servers for the Bazar backdoor.
The list of plugin server configurations has seen modifications as well, with Tor plugin services being eliminated and new tags (likely obfuscated IPs) added. The Bazar backdoor uses a similar technique.
The new version of the malware appears to have been used mainly in attacks on systems in Malaysia, the United States, Romania, Russia, and Malta.
Another change observed in TrickBot, this time by Advanced Intel security researcher Vitali Kremez, is the adoption of a fileless DLL loading method copied from the MemoryModule library.
The researcher also noticed the inclusion within TrickBot of a new reconnaissance module called LightBot, which allows the operators to identify targets of interest within the victim’s network. Capable of achieving persistence, LightBot is likely used to identify Ryuk ransomware targets, the researcher says.
“Completely dismantling TrickBot has proven more than difficult, and similar operations in the past against popular Trojans has proven that the cybercriminal community will always push to bring back into operation something that’s profitable, versatile and popular. TrickBot might have suffered a serious blow, but its operators seem to be scrambling to bring it back, potentially more resilient and difficult to extirpate than ever before,” Bitdefender points out.
Related: Microsoft Says Most TrickBot Servers Are Down
Related: Ryuk Ransomware Attacks Continue Following TrickBot Takedown Attempt