Microsoft, alongside a coalition comprising FS-ISAC, ESET, Lumen Black Lotus Labs, NTT and Symantec, has succeeded in disrupting the infamous Trickbot botnet, one of the primary vectors of ransomware distribution worldwide.
The coordinated effort was made possible by a court order obtained by Microsoft in the US, alongside technical actions taken in partnership with telecoms operators around the world. As a result, key infrastructure used by the operators of Trickbot has now been cut off, so the botnet can no longer be used to initiate new infections or activate ransomware that has already been dropped.
Tom Burt, Microsoft CVP of customer security and trust, said Trickbot had infected an estimated million devices worldwide in its lifetime, and although the exact identity of its operators remains unknown, it was likely that they serve multiple paymasters, including national governments and cyber criminal actors.
“In the course of Microsoft’s investigation into Trickbot, we analysed approximately 61,000 samples of Trickbot malware,” said Burt in a disclosure blog. “What makes it so dangerous is that it has modular capabilities that constantly evolve, infecting victims for the operators’ purposes through a ‘malware-as-a-service’ model.
“Its operators could provide their customers with access to infected machines and offer them a delivery mechanism for many forms of malware, including ransomware. Beyond infecting end-user computers, Trickbot has also infected a number of internet of things [IoT] devices, such as routers, which has extended Trickbot’s reach into households and organisations.
“In addition to maintaining modular capabilities for a variety of end purposes, the operators have proven adept at changing techniques based on developments in society. Trickbot’s spam and spear phishing campaigns, used to distribute malware, have included topics such as Black Lives Matter and Covid-19, enticing people to click on malicious documents or links. Based on the data we see through Microsoft Office 365 Advanced Threat Detection, Trickbot has been the most prolific malware operation using Covid-19-themed lures.”
Trickbot first popped up in 2016 as a successor to the Dyre banking trojan, designed to steal banking credentials, but over a four-year period, its operators built themselves a substantial botnet and the original malware evolved into a modular malware that was made available as-a-service to cyber criminals, who were given access to the botnet to use as an entry point to install recon tools such as PowerShell Empire, Metasploit and Cobalt Strike. These were then used to steal credentials, exfiltrate data, and deploy additional payloads, most notably the Ryuk ransomware.
It was most often delivered in malicious email campaigns using current events and financial lures to trick its targets into clicking links or opening attachments – usually Excel or Word documents containing malicious macros. Campaigns were observed in multiple verticals and all over the world, with the operators often reusing previously compromised email accounts from earlier campaigns. It was also deployed via lateral movement via Server Message Block (SMB) or as the second-stage payload of an Emotet attack.
Jean-Ian Boutin, head of threat research at ESET, said: “Over the years we’ve tracked it, Trickbot compromises have been reported in a steady manner, making it one of the largest and longest-lived botnets out there. Trickbot is one of the most prevalent banking malware families, and this malware strain represents a threat for internet users globally.
“Trying to disrupt this elusive threat is very challenging as it has various fallback mechanisms, and its interconnection with other highly active cyber criminal actors in the underground makes the overall operation extremely complex.”
Microsoft said that during its investigation, it had identified new operational details about the infrastructure that Trickbot used to communicate with and control its victims’ computers, how the computers talked to one another, and the mechanisms it deployed to evade detection and stop security teams from disrupting it.
It also uncovered the precise IP addresses of Trickbot’s servers, which proved to be crucial information in securing the court order that allowed Microsoft and its partners to disable them, put the content stored on the command and control (C2) servers beyond use, suspend services to the operators of Trickbot, and block any efforts by them to buy or rent new ones.
The case also included copyright claims against Trickbot’s malicious use of Microsoft’s software code, which Burt said was an important step in the fight against malware because it now has a precedent to take civil action against cyber criminals in countries that have such laws in place.
“We fully anticipate Trickbot’s operators will make efforts to revive their operations, and we will work with our partners to monitor their activities and take additional legal and technical steps to stop them,” said Burt.