A month after Microsoft and the United States government conducted separate operations to disrupt the Trickbot malware network, the botnet’s command-and-control infrastructure appears to have gone completely offline for a short while, but a new spam run in the last 24 hours is now distributing the malware again.
Researchers have been tracking the effects of the takedown efforts for the last several weeks, watching as the malware operators moved to new command-and-control servers and continued to run new infection campaigns. Microsoft’s operation against Trickbot focused primarily on C2 infrastructure located in the U.S. and it was successful in getting a court order to take over those control servers. But Trickbot’s operators had control servers in Europe and the Caribbean, too, and continued to use those after the operation from Microsoft and a distinct effort by the U.S. Cyber Command that targeted the configuration files used to give new instructions to compromised computers.
The Trickbot operators have conducted new spam campaigns in recent weeks aimed at infecting new machines, using the Emotet trojan as the most common infection vector. However, the last week had seen a dropoff in Trickbot activity and researchers at security firm Intel 471 said they had seen no new Trickbot C2 servers come online in that time.
“We observed the number of active and working Trickbot control servers being reduced over time until Nov. 5, when we were unable to identify any working Trickbot control servers as of Nov. 6,” the company said in a new research report.
However, that does not mean that the Trickbot operators have stopped their activities altogether. Researchers who track Trickbot spam activity have reported renewed spam campaigns spreading Trickbot-laden malicious documents in the last day, as well. Marcus Hutchins, a malware researcher at Kruptos Logic, said Tuesday the operators appear to have modified the configuration files to evade detection.
"TrickBot is back active again. They made changes to how the config works, but doubt it’s going to provide any resilience against competent analysts," he said on Twitter.
Intel 471 confirmed this, too.
"On Nov. 9, 2020, we did see a new version of Trickbot that was distributed via a spam campaign (gtag tar2)," the company said Tuesday.
Trickbot has been part of an infection chain involving Emotet and the nasty Ryuk ransomware for nearly two years, with cybercrime groups buying access to Trickbot-infected machines in order to install Ryuk. Ryuk is used by a number of individual attack groups and it has been blamed for ransomware incidents at several hospitals and health care facilities in recent weeks. In late October, the FBI and the Cybersecurity and Infrastructure Security Agency issued a joint advisory on increased ransomware activity, specifically from Ryuk.
“In these recent Ryuk attacks, incident responders have reported that instead of seeing Trickbot as the initial infection, they saw a different malware known as BazarLoader aka KEGTAP. BazarLoader is linked to the Trickbot operators in many ways, including shared infrastructure and code similarities,” the Intel 471 report says.
“This indicates the actors linked to Trickbot continue to launch targeted ransomware attacks successfully despite the disruption of Trickbot malware infrastructure. It was unclear whether the Trickbot operators will return to using Trickbot or will completely move to using BazarLoader as a replacement.”