The backend infrastructure of the TrickBot botnet has been disabled thanks to the work of Microsoft and a coalition of safety firms and telecoms.
The software giant’s Defender team labored along with FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT and Broadcom’s cybersecurity division Symantec to accomplish the feat which took months of preparation.
First spotted in 2016, TrickBot was initially a banking trojan that was a successor to Dyre earlier than it advanced to carry out a number of different malicious actions including spreading laterally through a community, stealing saved credentials in browsers, stealing cookies and infecting Linux machines.
The malware is usually delivered via email campaigns that leverage present events or financial lures so as to trick customers into opening malicious file attachments or links to web sites internet hosting malicious files. After infecting a system with TrickBot, cybercriminals then used it to install reconnaissance instruments reminiscent of PowerShell Empire, Metasploit and Cobalt Strike to steal credentials and network configuration information.
Taking down TrickBot
In order to take down the TrickBot botnet, Microsoft, ESET, Symantec and other partners spent months collecting over 125,000 samples of the malware. They then analyzed these samples and extracted and mapped information about how the malware worked together with the servers the botnet used to regulate infected computers.
After collecting this information on TrickBot’s inner workings, Microsoft then went to the US District Court for the Japanese District of Virginia the place the company requested a judge to grant it management over the botnet’s servers.
Corporate vice president of customer security and trust at Microsoft, Tom Burt provided further insight on how the company used the court’s ruling to disable TrickBot’s backend infrastructure in a weblog post, saying:
“As we observed the infected computers connect with and obtain directions from command and management servers, we have been able to determine the exact IP addresses of these servers. With this proof, the courtroom granted approval for Microsoft and our companions to disable the IP addresses, render the content saved on the command and management servers inaccessible, droop all providers to the botnet operators, and block any effort by the Trickbot operators to buy or lease further servers.”
Whereas TrickBot appears to be out of commission, for now, the botnet might return as different botnets have managed to outlive similar takedown attempts up to now. Solely time will inform if Microsoft and its associate’s efforts have been profitable though even then, another botnet will likely rise up to take TrickBot’s place.