The TrickBot trojan has been dealt a serious blow thanks to a coordinated action led by Microsoft that disrupted the botnet that spreads it. However, researchers warn that the operators will quickly try to revive their operations.
TrickBot is known for spreading other malware, especially ransomware. Microsoft said this week that the United States District Court for the Eastern District of Virginia granted a request for a court order to halt TrickBotâs operations, which it carried out in concert with other firms, including ESET, Lumenâs Black Lotus Labs, NTT Ltd., Symantec and others.
âWe disrupted TrickBot through a court order we obtained, as well as technical action we executed in partnership with telecommunications providers around the world,â wrote Tom Burt, corporate vice president, Customer Security & Trust, at Microsoft, in a Monday posting. âWe have now cut off key infrastructure so those operating TrickBot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.â
Click to Register!
TrickBot is a well-known and sophisticated trojan first developed in 2016 as a banking malware â it has a history of transforming itself and adding new features to evade detection. Moving far beyond its banking roots, it has developed over the years into a full-fledged, module-based crimeware solution typically aimed at attacking corporations and public infrastructure.
Users infected with the TrickBot Trojan will see their device become part of a botnet that can allow attackers to gain complete control of the device. Typical consequences of TrickBot infections are bank account takeover, high-value wire fraud and ransomware attacks. Itâs often seen working in concert with Emotet, another concerning and widespread trojan thatâs known for its modular design.
âWhat makes [TrickBot] so dangerous is that it has modular capabilities that constantly evolve, infecting victims for the operatorsâ purposes through a âmalware-as-a-serviceâ model,â Burt said. âIts operators could provide their customers access to infected machines and offer them a delivery mechanism for many forms of malware, including ransomware. Beyond infecting end user computers, TrickBot has also infected a number of Internet of Things devices, such as routers, which has extended TrickBotâs reach into households and organizations.â
TrickBot has infected more than 1 million computing devices around the world since late 2016, according to Microsoft.
Microsoft and partners were able to thwart TrickBotâs mechanisms to evade detection and uncover its command-and-control (C2) infrastructure, including the location of its servers.
ESET for example said that it analyzed more than 125,000 malicious samples and downloaded and decrypted more than 40,000 configuration files used by the different Trickbot modules, which gave the team a window into the C2 setup.
TrickBot accounts for infections globally. Source: ESET.
According to ESET, one of the keys to the investigation was the fact that TrickBotâs modular architecture uses a variety of plugins to perform its vast array of malicious actions.
âOne of the oldest plugins developed for the platform allows TrickBot to use web injects, a technique allowing the malware to dynamically change what the user of a compromised system sees when visiting specific websites,â according to the post. âTo operate, this plugin relies on configuration files downloaded by the main module. These contain information about which websites should be modified and how.â
These decrypted configuration files contain targeted URLs and the malicious C2 URLs the bot should contact when a victim accesses a targeted site.
âAs we observed the infected computers connect to and receive instructions from command-and-control servers, we were able to identify the precise IP addresses of those servers,â Microsoftâs Burt explained. âWith this evidence, the court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command-and-control servers inaccessible, suspend all services to the botnet operators, and block any effort by the TrickBot operators to purchase or lease additional servers.â
This is a different approach than the takedown of the Necurs peer-to-peer botnet, which Microsoft led in March. The firm worked with technical and legal partners in 35 countries to disrupt that malware.
âBy analyzing the algorithm Necurs used to systematically generate new domains, Microsoft was able to accurately predict the 6+ million unique domains that would be created within the next 25 months,â said Nozomi Networks co-founder Andrea Carcano, via email. âMicrosoft reported these domains to their respective registries worldwide, allowing the websites to be blocked and preventing them from becoming part of the Necurs infrastructure.â
Interestingly, Microsoftâs request for legal approval hinges on a copyright claim against TrickBotâs malicious use of its software code. Itâs the first time the computing giant has used this approach, Burt said, adding that the tactic âallowed us to take civil action to protect customers in the large number of countries around the world that have these laws in place.â
He added that because TrickBot retains its focus on online banking websites, and stealing funds from people and financial institutions, the Financial Services Information Sharing and Analysis Center (FS-ISAC) was a co-plaintiff in the legal action.
âWhile botnet operators are using every trick in the book to expand their malicious activity, defenders for obvious reasons have to comply with the law when implementing the countermeasures,â said Carcano. âBut as Microsoftâs actions show, this doesnât mean that you cannot be creative with the technical and non-technical tools available. The beauty of this latest approach is that while defenders have to suffer the asymmetry of attackers operating behind the limits of the law, by taking the case to court, Microsoft gained a legal advantage to regain control.â
TrickBot may be disrupted for now, but researchers pointed out that the operators have other projects going on.
âOne of these projects is the so-called Anchor project, a platform mostly geared towards espionage rather than crimeware,â according to ESET. âThey are also likely involved in the development of the Bazar malware â a loader and backdoor used to deploy malware, such as ransomware, and to steal sensitive data from compromised systems.â
âPrior to the disruption, we had already observed some actors that were previously distributing TrickBot switch to BazaLoader, which has been linked by code similarity to TrickBot,â said Sherrod DeGrippo, senior director of threat research at Proofpoint, via email.
TrickBot itself will likely re-emerge, according to Burt.
âWe fully anticipate TrickBotâs operators will make efforts to revive their operations, and we will work with our partners to monitor their activities and take additional legal and technical steps to stop them,â he said.
DeGrippo went further and noted that the takedownâs efficacy remains to be seen.
âTypically, these types of actions donât result in a direct reduction of threat activity,â the researcher noted. âThreat actors will often replace the lost infrastructure quickly and easily out of a different country so we will need to wait and see what the direct impact will beâŠWe believe itâs unlikely weâll see any immediate significant changes in Trickbot email delivery volumesâŠThe most recent Trickbot campaigns are already using new command-and-control channels, which shows the threat actors are actively adapting their campaigns.â
On October 14 at 2 PM ET** Get the latest information on the rising threats to retail e-commerce security and how to stop them.Register today for this FREE Threatpost webinar, âRetail Security: Magecart and the Rise of e-Commerce Threats.â Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this**LIVEwebinar.
blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/
threatpost.com/emotet-returns-in-malspam-attacks-dropping-trickbot-qakbot/157604/
threatpost.com/fin6-and-trickbot-combine-forces-in-anchor-attacks/154508/
threatpost.com/necurs-botnet-in-crosshairs-of-global-takedown-offensive/153607/
threatpost.com/trickbot-custom-stealthy-backdoor/151663/
threatpost.com/trickbot-switches-to-a-new-windows-10-uac-bypass-to-evade-detection/152477/
threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar
threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar
threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar
threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar
threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar
www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/