Days after the US Government took steps to disrupt the notorious TrickBot botnet, a group of cybersecurity and tech companies has detailed a separate coordinated effort to take down the malware’s back-end infrastructure.
The joint collaboration, which involved Microsoft’s Digital Crimes Unit, Lumen’s Black Lotus Labs, ESET, Financial Services Information Sharing and Analysis Center (FS-ISAC), NTT, and Broadcom’s Symantec, was undertaken after their request to halt TrickBot’s operations was granted by the US District Court for the Eastern District of Virginia.
The development comes after the US Cyber Command mounted a campaign to thwart TrickBot’s spread over concerns of ransomware attacks targeting voting systems ahead of the presidential elections next month. Attempts aimed at impeding the botnet were first reported by KrebsOnSecurity early this month.
Microsoft and its partners analyzed over 186,000 TrickBot samples, using it to track down the malware’s command-and-control (C2) infrastructure employed to communicate with the victim machines and identify the IP addresses of the C2 servers and other TTPs applied to evade detection.
“With this evidence, the court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the TrickBot operators to purchase or lease additional servers,” Microsoft said.
Since its origin as a banking Trojan in late 2016, TrickBot has evolved into a Swiss Army knife capable of pilfering sensitive information, and even dropping ransomware and post-exploitation toolkits on compromised devices, in addition to recruiting them into a family of bots.
“Over the years, TrickBot’s operators were able to build a massive botnet, and the malware evolved into a modular malware available for malware-as-a-service,” Microsoft said.
“The TrickBot infrastructure was made available to cybercriminals who used the botnet as an entry point for human-operated campaigns, including attacks that steal credentials, exfiltrate data, and deploy additional payloads, most notably Ryuk ransomware, in target networks.”
Typically delivered via phishing campaigns that leverage current events or financial lures to entice users into opening malicious file attachments or clicking links to websites hosting the malware, TrickBot has also been deployed as a second-stage payload of another nefarious botnet called Emotet.
The cybercrime operation has infected over a million computers to date.
Microsoft, however, cautioned that it did not expect the latest action to permanently disrupt TrickBot, adding that the cybercriminals behind the botnet will likely make efforts to revive their operations.
According to Swiss-based Feodo Tracker, eight TrickBot control servers, some of which were first seen last week, are still online after the takedown.