Trickbot botnet disrupted by Microsoft and alliance of tech companies

Microsoft says it, and several tech companies, have at least temporarily taken down the Trickbot botnet, a Russian-based network of devices that has infected more than a million computers since 2016 and is behind scores of ransomware attacks.

“We disrupted Trickbot through a [U.S.] court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world,” Microsoft said in a statement Monday. “We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.”

Other tech companies involved in the effort included ESETLumen’s Black Lotus LabsNTT and Symantec. Also involved was the Financial Services Information Sharing and Analysis Center (FS-ISAC).

Microsoft says these moves represent a legal approach that its Digital Crimes Unit is using for the first time to get the court order: Copyright claims against Trickbot’s malicious use of its software code. “This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place.”

Criminals being well-funded and with the ability to find other systems to host their malware, it isn’t clear how long Trickbot will be out of commission. In fact, Microsoft took care to say it has “disrupted” the botnet. “We fully anticipate Trickbot’s operators will make efforts to revive their operations,” Microsoft acknowledged, adding, “we will work with our partners to monitor their activities and take additional legal and technical steps to stop them.”

Cyber criminals are tenacious. The re-birth of the Emotet botnet in 2019 is a recent example. It was down for four months after its command and control (C&C) servers had been shut down — either by law enforcement or a security researcher. But operators may have shut it down to rebuild the infrastructure.

UPDATE: ZDNet reports that the Trickbot operators have replaced the seized domains and command and control servers with new infrastructure.

In a statement, ESET said that over the years Trickbot compromises have been reported in a steady manner, making it one of the largest and longest-lived botnets. “Trickbot is one of the most prevalent banking malware families, and this malware strain represents a threat for internet users globally,” said Jean-Ian Boutin, the company’s head of threat research.

“Throughout its existence, this malware has been distributed in a number of ways. Recently, a chain we observed frequently is Trickbot being dropped on systems already compromised by Emotet, another large botnet. In the past, Trickbot malware was leveraged by its operators mostly as a banking trojan, stealing credentials from online bank accounts and trying to perform fraudulent transfers.”

What makes Trickbot so dangerous, says Microsoft, is its modular capabilities that constantly evolve, infecting victims through a “malware-as-a-service” model. “Its operators could provide their customers access to infected machines and offer them a delivery mechanism for many forms of malware, including ransomware. Beyond infecting end-user computers, Trickbot has also infected a number of “Internet of Things” devices, such as routers, which has extended Trickbot’s reach into households and organizations.”

Trickbot’s operators can also quickly tailor its spam and spear-phishing campaigns. Recent messaging topics have included Black Lives Matter and COVID-19. Microsoft believes Trickbot has been the most prolific malware operation using COVID-19 themed lures.

Trickbot is also known to deliver the Ryuk crypto-ransomware.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now