The Trickbot malware operation is on the brink of completely shutting down following efforts from an alliance of cybersecurity and hosting providers targeting the botnet’s command and control servers.
Initial disruption actions seemed to leave the botnet unphased as its operators were able to rebuild the infrastructure and the network of infected computers.
Although the battle is not over yet, the latest score in the fight against Trickbot clearly shows that the work of the coalition headed by Microsoft’s Digital Crimes Unit (DCU) has had a serious impact.
TrickBot faces coordinated takedown operation
On October 12, Microsoft and its partners announced that they had taken down some Trickbot C2s.
This was possible after the U.S. District Court for the Eastern District of Virginia granted a request to take down 19 IP addresses in the U.S. that Trickbot used to control infected computers.
The partnership includes ESET, Lumen’s Black Lotus Labs, NTT Ltd, Broadcom’s Symantec enterprise business, the Financial Services Information Sharing and Analysis Center (FS-ISAC), and the Microsoft Defender team.
Before this, the U.S. Cyber Command reportedly tried to cripple the botnet ahead of the presidential elections by pushing a configuration file to infected computers that cut them off from the controlling servers.
The partners knew right off the bat that this initial salvo would not bring down Trickbot and described it as an ongoing disruption effort with no guarantee of completely taking down the botnet.
Last week, cybersecurity company Intel 471 saw that Trickbot continued to infect new computers, helped by its long time partner, Emotet, which also spreads QBot.
“The Emotet bots reached out to their controllers and received commands to download and execute Trickbot on victim machines. The Trickbot group tag that Intel 471 identified is tied to a typical infection campaign that information security researchers have been observing for the past 6 months or more” – Intel 471
A bounce back was expected
Researchers at Lumen’s Black Lotus Labs told BleepingComputer that Trickbot administrators are constantly rotating the C2 IP addresses and change the infected hosts, making disruption efforts a serious challenge.
They also use different servers to communicate to the bots and to deliver plugins dedicated for specific tasks (steal passwords, steal traffic, propagate the malware).
Intel 471 notes that Trickbot administrators last week updated the plugin server configuration file with 15 new IPs. They kept two older addresses along with the server’s .onion domain, reachable through the Tor anonymity network.
Sherrod DeGrippo, Senior Director of Threat Research at Proofpoint, told BleepingComputer that Trickbot campaigns had switched to new C2 channels. She added that the initial actions against the botnet did not cause “a direct noticeable change in malicious email disruption leveraging Trickbot.”
The tables are turning
In a blog post today, Microsoft provides an update on the Trickbot disruption operation saying that together with its partners across the world they worked to disable 94% of Trickbot’s critical infrastructure.
“As of October 18, we’ve worked with partners around the world to eliminate 94% of Trickbot’s critical operational infrastructure including both the command-and-control servers in use at the time our action began and new infrastructure Trickbot has attempted to bring online” – Microsoft
Microsoft says that on October 18, 120 out of 128 Trickbot servers have fallen across the world since the beginning of the operation.
Trickbot’s core infrastructure includes internet-of-things (IoT) devices for controlling the botnet. Microsoft and its partners identified seven of them, all in the process of being disabled.
This success does not mean the fight is getting to an end. Trickbot’s unique architecture requires constant action against it to minimize resurrection chances.
These efforts will continue until at least November 3, the day of the U.S. Presidential election, aided by new court orders to take down freshly activated servers in the country.
“As we continue to cut off these new servers, our partners are also working to clean and remediate the compromised IoT devices, especially routers, that the Trickbot operators are using as non-traditional command-and-control infrastructure” – Microsoft
As TrickBot is hosting command and control servers on customer and business routers, Microsoft is working with internet service providers (ISPs) to help fix the devices without interrupting legitimate traffic.
For the time being, Trickbot administrators are busy setting up new infrastructure, which takes time and a toll on the frequency of fresh attacks.
Microsoft says that they were able to identify new servers and go through the legal channels to disable them in less than three hours. In one case, a hosting provider took down a Trickbot server in less than six minutes since receiving the notification about the illegal activity.
In a Trickbot malware sample distributed on October 19, Intel 471 identified 16 new C2 botnet servers dispersed globally, none of them currently responding to requests from infected systems.
Tough to kill
Some Trickbot servers are still active in Brazil, Colombia, Indonesia, and Kyrgyzstan, Intel 471 says. Furthermore, the botnet’s administrators still have partners willing to spread their malware.
Even if these efforts do not cause Trickbot to dwindle into extinction, the botnet may die on its own; but only because threat actors are moving to BazarLoader, a trojan increasingly used by Trickbot operators to target high-value enterprises and deploy Ryuk ransomware on their networks.
“Prior to the disruption, we had already observed some actors that were previously distributing Trickbot switch to BazaLoader, which has been linked by code similarity to Trickbot” – Sherrod DeGrippo, Proofpoint
DeGrippo also said that Proofpoint has not seen any direct evidence about Trickbot targeting election-related organizations or of its distribution with election-themed messages.