Microsoft and partners went after the botnet using a copyright infringement tactic and hunting down C2 servers.
The TrickBot trojan has been dealt a serious blow thanks to a coordinated action led by Microsoft that disrupted the botnet that spreads it. However, researchers warn that the operators will quickly try to revive their operations.
TrickBot is known for spreading other malware, especially ransomware. Microsoft said this week that the United States District Court for the Eastern District of Virginia granted a request for a court order to halt TrickBot’s operations, which it carried out in concert with other firms, including ESET, Lumen’s Black Lotus Labs, NTT Ltd., Symantec and others.
“We disrupted TrickBot through a court order we obtained, as well as technical action we executed in partnership with telecommunications providers around the world,” wrote Tom Burt, corporate vice president, Customer Security & Trust, at Microsoft, in a Monday posting. “We have now cut off key infrastructure so those operating TrickBot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.”
TrickBot is a well-known and sophisticated trojan first developed in 2016 as a banking malware – it has a history of transforming itself and adding new features to evade detection. Moving far beyond its banking roots, it has developed over the years into a full-fledged, module-based crimeware solution typically aimed at attacking corporations and public infrastructure.
Users infected with the TrickBot Trojan will see their device become part of a botnet that can allow attackers to gain complete control of the device. Typical consequences of TrickBot infections are bank account takeover, high-value wire fraud and ransomware attacks. It’s often seen working in concert with Emotet, another concerning and widespread trojan that’s known for its modular design.
“What makes [TrickBot] so dangerous is that it has modular capabilities that constantly evolve, infecting victims for the operators’ purposes through a ‘malware-as-a-service’ model,” Burt said. “Its operators could provide their customers access to infected machines and offer them a delivery mechanism for many forms of malware, including ransomware. Beyond infecting end user computers, TrickBot has also infected a number of Internet of Things devices, such as routers, which has extended TrickBot’s reach into households and organizations.”
TrickBot has infected more than 1 million computing devices around the world since late 2016, according to Microsoft.
Microsoft and partners were able to thwart TrickBot’s mechanisms to evade detection and uncover its command-and-control (C2) infrastructure, including the location of its servers.
ESET for example said that it analyzed more than 125,000 malicious samples and downloaded and decrypted more than 40,000 configuration files used by the different Trickbot modules, which gave the team a window into the C2 setup.
According to ESET, one of the keys to the investigation was the fact that TrickBot’s modular architecture uses a variety of plugins to perform its vast array of malicious actions.
“One of the oldest plugins developed for the platform allows TrickBot to use web injects, a technique allowing the malware to dynamically change what the user of a compromised system sees when visiting specific websites,” according to the post. “To operate, this plugin relies on configuration files downloaded by the main module. These contain information about which websites should be modified and how.”
These decrypted configuration files contain targeted URLs and the malicious C2 URLs the bot should contact when a victim accesses a targeted site.
“As we observed the infected computers connect to and receive instructions from command-and-control servers, we were able to identify the precise IP addresses of those servers,” Microsoft’s Burt explained. “With this evidence, the court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command-and-control servers inaccessible, suspend all services to the botnet operators, and block any effort by the TrickBot operators to purchase or lease additional servers.”
This is a different approach than the takedown of the Necurs peer-to-peer botnet, which Microsoft led in March. The firm worked with technical and legal partners in 35 countries to disrupt that malware.
“By analyzing the algorithm Necurs used to systematically generate new domains, Microsoft was able to accurately predict the 6+ million unique domains that would be created within the next 25 months,” said Nozomi Networks co-founder Andrea Carcano, via email. “Microsoft reported these domains to their respective registries worldwide, allowing the websites to be blocked and preventing them from becoming part of the Necurs infrastructure.”
Interestingly, Microsoft’s request for legal approval hinges on a copyright claim against TrickBot’s malicious use of its software code. It’s the first time the computing giant has used this approach, Burt said, adding that the tactic “allowed us to take civil action to protect customers in the large number of countries around the world that have these laws in place.”
He added that because TrickBot retains its focus on online banking websites, and stealing funds from people and financial institutions, the Financial Services Information Sharing and Analysis Center (FS-ISAC) was a co-plaintiff in the legal action.
“While botnet operators are using every trick in the book to expand their malicious activity, defenders for obvious reasons have to comply with the law when implementing the countermeasures,” said Carcano. “But as Microsoft’s actions show, this doesn’t mean that you cannot be creative with the technical and non-technical tools available. The beauty of this latest approach is that while defenders have to suffer the asymmetry of attackers operating behind the limits of the law, by taking the case to court, Microsoft gained a legal advantage to regain control.”
TrickBot may be disrupted for now, but researchers pointed out that the operators have other projects going on.
“One of these projects is the so-called Anchor project, a platform mostly geared towards espionage rather than crimeware,” according to ESET. “They are also likely involved in the development of the Bazar malware — a loader and backdoor used to deploy malware, such as ransomware, and to steal sensitive data from compromised systems.”
“Prior to the disruption, we had already observed some actors that were previously distributing TrickBot switch to BazaLoader, which has been linked by code similarity to TrickBot,” said Sherrod DeGrippo, senior director of threat research at Proofpoint, via email.
TrickBot itself will likely re-emerge, according to Burt.
“We fully anticipate TrickBot’s operators will make efforts to revive their operations, and we will work with our partners to monitor their activities and take additional legal and technical steps to stop them,” he said.
DeGrippo went further and noted that the takedown’s efficacy remains to be seen.
“Typically, these types of actions don’t result in a direct reduction of threat activity,” the researcher noted. “Threat actors will often replace the lost infrastructure quickly and easily out of a different country so we will need to wait and see what the direct impact will be…We believe it’s unlikely we’ll see any immediate significant changes in Trickbot email delivery volumes…The most recent Trickbot campaigns are already using new command-and-control channels, which shows the threat actors are actively adapting their campaigns.”
On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.