Microsoft, along with a small cadre of other technology companies and industry groups, took a number of legal and technical actions to disrupt the Trickbot malware infrastructure, including taking control of the command-and-control servers and blocking the operators’ ability to buy or rent new C2 servers.
The botnet takedown is intended not just to prevent the Trickbot operators from distributing the notorious banking trojan but also to disrupt the installation of the Ryuk ransomware, which is often part and parcel of a Trickbot infection. As part of the operation, MIcrosoft obtained a court order that allowed the company to disable specific IP addresses used in the botnet and make the content stored on the botnet’s C2 servers inaccessible. Microsoft also filed a copyright claim against the Trickbot operators for unauthorized use of the company’s software. Trickbot is infamous for using malicious attachments in phishing emails, often Word or Excel documents with malicious macros.
The takedown operation was a joint effort with contributions from ESET, Symantec, Lumen’s Black Lotus Labs, NTT, and the FS-ISAC, and it comes just three weeks before the presidential election in the United States. The Trickbot botnet and the Ryuk ransomware it often brings with it are closely associated with Russian attackers and U.S. officials have warned repeatedly that Russian threat actors are seeking to influence and disrupt the election. Though that threat is significant, the vast majority of Trickbot’s activity has been focused on infecting individual systems, stealing banking credentials, and delivering the Ryuk ransomware when possible.
“People are unaware of Trickbot’s activity as the operators have designed it to hide itself. After Trickbot captures login credentials and personal information, operators use that information to access people’s bank accounts. People experience a normal login process and are typically unaware of the underlying surveillance and theft,” Tom Burt, corporate vice president, customer security and trust, said.
“Ryuk is a sophisticated crypto-ransomware because it identifies and encrypts network files and disables Windows System Restore to prevent people from being able to recover from the attack without external backups. Ryuk has been attacking organizations, including municipal governments, state courts, hospitals, nursing homes, enterprises and large universities.”
“We fully anticipate Trickbot’s operators will make efforts to revive their operations."
Security researchers have been tracking Trickbot since 2016 and the operators have used a number of different tactics over the years. The malware most often shows up in phishing emails, typically with subject lines and body content pegged to a current event. Trickbot-infected emails have used the COVID-19 pandemic as a lure for many months, while other campaigns have used common phishing themes such as invoices or shipping notifications. The malware operators have targeted organizations in many countries, but much of its focus has been on the U.S., and as the attackers have evolved, so have their tactics, moving from mostly banking credential theft to the higher returns of ransomware.
“In these cases, a Trickbot compromise is first leveraged to perform reconnaissance and lateral movement in an organization’s network and then to drop Ryuk ransomware on as many systems as possible. From the data we have collected, it appears that Trickbot’s operators moved from attempting to steal money from bank accounts, to compromising a whole organization with Trickbot and then using it to execute Ryuk and demand a ransom to unlock the affected systems,” an analysis by ESET researchers says.
“We also observed new malware development projects allegedly coming from Trickbot’s operators, which might also explain their sudden disinterest in operating Trickbot as a banking trojan. One of these projects is the so-called Anchor project, a platform mostly geared towards espionage rather than crimeware. They are also likely involved in the development of the Bazar malware — a loader and backdoor used to deploy malware, such as ransomware, and to steal sensitive data from compromised systems.”
The Trickbot takedown is a significant operation, but the malware operators are likely to find new methods for distribution, given how much money is at stake.
“We fully anticipate Trickbot’s operators will make efforts to revive their operations, and we will work with our partners to monitor their activities and take additional legal and technical steps to stop them,” Burt said.