TrickBot Takes a Break, Leaving Researchers Scratching Their Heads

The group behind the TrickBot malware is back after an unusually long lull between campaigns, according to researchers — but it’s now operating with diminished activity. They concluded that the pause could be due to the TrickBot gang making a large operational shift to focus on partner malware, such as Emotet.

A report from Intel 471 published on Thursday flagged a “strange” period of relative inactivity, where “from December 28, 2021 until February 17, 2022, Intel 471 researchers have not seen new TrickBot campaigns.”

Before the lull, an incident last November indicated that the TrickBot botnet was used to distribute Emotet – indicating that the collaboration with the group behind the Emotet malware is ongoing. Intel 471 also tied in a third group – the operators of the Bazar malware family – whose controllers were found “pushing commands to download and execute TrickBot (mid-2021) and Emotet (November 2021).”

The report noted how, in years past, malicious actors have used TrickBot to install Emotet on target machines, and vice versa. Researchers speculated that, this time around, “it’s likely that the TrickBot operators have phased TrickBot malware out of their operations in favor of other platforms, such as Emotet.”

TrickBot’s ‘Turbulent’ Recent History

TrickBot was originally deployed as a banking trojan, in 2016. In the time since, it’s developed into a full-suite malware ecosystem, replete with tools for spying and stealing data, port scanning, anti-debugging – crashing researchers’ browsers before they have a chance to identify its presence – identifying and wiping firmware, and much more.

TrickBot has received particular attention from authorities in recent years. In 2020, Microsoft obtained a U.S. court order that allowed it to seize servers from the group behind the malware. Last year, multiple members of that group were arrested and handed charges carrying potentially years-long prison sentences. Despite these efforts, TrickBot remained active.

Until late last December, that is, when new attacks ground to a halt. According to the report, Trickbot’s most recent campaign “came on December 28, 2021. That was one of three malware campaigns that were active during the month. As a contrast, eight different [campaigns] were discovered in November 2021.”

“While there have been lulls from time-to-time,” the report noted, “this long of a break can be considered unusual.”

The decline in activity continues as well: TrickBot’s onboard malware configuration files, which contain a list of controller addresses to which the bot can connect, “have gone untouched for long periods of time,” researchers said.

Tellingly, these files “were once updated frequently, but are receiving fewer and fewer updates,” researchers said. On the other hand, command-and-control (C2) infrastructure associated with TrickBot remains active, with updates adding “additional plugins, web injects and additional configurations to bots in the botnet.”

The researchers have now concluded with high confidence that “this break is partially due to a big shift from TrickBot’s operators, including working with the operators of Emotet.”

An Old Alliance

As noted, the collaboration with Emotet (and Bazar Loader, for that matter) is not new. But researchers told Threatpost that the nature of the relationship could be evolving.

“It’s difficult to say what could result from the collaboration,” wrote Hank Schless, senior manager for security solutions at Lookout, via email. “We do know that Emotet recently began testing how it could install Cobalt Strike beacons on previously infected devices, so maybe they could combine functionality with TrickBot.” Cobalt Strike is a penetration testing tool used by cyber-analysts and attackers alike.

“In the security industry, knowledge-sharing is how we discover some of the most nefarious threats,” he noted. “However, on the flip side of the coin you have threat actors who are doing the same thing … they share their malware on Dark Web forums and other platforms in ways that help the entire community advance their tactics.”

Sometimes, cybercrime gangs have “partnerships or business relationships much like those that happen in conventional business,” John Bambenek, principal threat hunter at Netenrich, told Threatpost via email. “In this case, it looks like the crew behind TrickBot decided it was easier to ‘buy’ than ‘build.'”

Some think the malware may be on its way out. After all, TrickBot is now five years old: a lifetime in cybersecurity terms. “Perhaps,” Intel 471 researchers wrote, “a combination of unwanted attention to TrickBot and the availability of newer, improved malware platforms has convinced the operators of TrickBot to abandon it.”

Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.”****We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.