Microsoft & Others Thwart Cybercriminals by Taking Down TrickBot Botnet
Table of Contents
- By Dawna M. Roberts
- Published: Oct 14, 2020
- Last Updated: Mar 18, 2022
In a joint effort, Microsoft, along with government agencies and some big-name tech firms, took down the network (botnet) that served as a conduit for the notorious TrickBot, effectively thwarting cybercriminals at least for now.
The collaboration included Microsoft, ESET, Lumen’s Black Lotus Labs, the Financial Services Information Sharing and Analysis Center (FS-ISC), Broadcom’s Symantec, NTT, and the U.S. District Court for the Eastern District of Virginia. The team of heavy hitters dismantled TrickBot servers and backend infrastructure at least temporarily crippling cybercriminals who use the network for ransomware and fraud.
What is TrickBot Botnet?
TrickBot is the name of a trojan that appeared on the scene in 2016 as banking malware. What makes TrickBot unique is that it is highly sophisticated software that transforms itself and evades detection. It is notorious among criminals and thieves who use it for all different types of malware to defraud the public and big corporations.
Once a device is infected with TrickBot, that device becomes a part of the Botnet network, with bad actors taking control of the device and using it as part of their scheme to ensnare others. Some of the more serious infections result in bank account takeover, ransomware attacks, and other forms of fraud. Hackers often use TrickBot in conjunction with Emotet, another dangerous and widespread trojan.
The most alarming aspect of these types of malware is they are modular in design and act as a “malware-as-a-service.” Tom Burt, Corporate Vice President, Customer Security & Trust at Microsoft, said “Its operators could provide their customers access to infected machines and offer them a delivery mechanism for many forms of malware, including ransomware. Beyond infecting end-user computers, TrickBot has also infected a number of Internet of Things devices, such as routers, which has extended TrickBot’s reach into households and organizations.”
So far, TrickBot has infected more than 1 million devices worldwide since 2016.
Protecting The U.S. Presidential Election
The reason for this major partnership to dismantle TrickBot is the U.S. Presidential election and the uptick in malware and ransomware attacks aimed at affecting the outcome.
The U.S. government has been warning Americans about a rash of hacker attacks targeting the presidential election. Specifically, the U.S. Cybersecurity and Infrastructure Security Agency mentioned a possible Emotet ransomware attack, and the FBI talks about distributed-denial-of-service attacks with these same purposes in mind. The public is reminded to be wary of suspicious emails that mention the election or the voting process.
How TrickBot Was Dismantled
Microsoft’s security team identified how the TrickBot botnet operated and how infected devices communicated back and forth. Armed with this information, Microsoft was able to identify specific IP addresses of the servers that made up the network. Burt commented that “With this evidence, the court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators and block any effort by the Trickbot operators to purchase or lease additional servers.”
Security firm ESET was looped in and examined more than 125,000 malicious samples along with 40,000 configuration files to understand how the modular system worked. In their own report of the takedown, ESET added that “One of the oldest plugins developed for the platform allows TrickBot to use web injects, a technique allowing the malware to dynamically change what the user of a compromised system sees when visiting specific websites.” They elaborated with “To operate, this plugin relies on configuration files downloaded by the main module. These contain information about which websites should be modified and how.”
The Copyright Infringement Connection
Microsoft used a copyright claim for malicious use of its software code when requesting the court order. Burt mentioned that this tactic “allowed us to take civil action to protect customers in the large number of countries around the world that have these laws in place.”
Because TrickBot is widely used to attack banking websites and steal funds from bank accounts, the Financial Services Information Sharing and Analysis Center (FS-ISAC) added their name as co-plaintiff in the legal action.
What Now?
In March, Microsoft led another takedown of the Necurs peer-to-peer network working with tech firms and government agencies in 35 countries. Although the criminals can operate without restriction, those aimed at removing their threat have to follow the law. However, this latest victory over TrickBot illustrates that security professionals can be creative in applying the law to take down these sinister threats and protect the public and corporate America.
Experts advise that although this is a big blow to cybercrime, threat actors are working hard to reestablish their network of resources. They also have other projects underway, such as the Anchor project (a network to commit espionage) and Bazar malware, which has already been seen in operation and compared to TrickBot. Burt once again commented that “We fully anticipate TrickBot’s operators will make efforts to revive their operations, and we will work with our partners to monitor their activities and take additional legal and technical steps to stop them.”
So, although taking down TrickBot may not end the war, it’s definitely a win for us this day!
