We recently talked about a massive operation aimed at eliminating one of the largest botnets of our day, TrickBot, in which law enforcement, specialists from the Microsoft Defender team, FS-ISAC non-profit organization, as well as ESET, Lumen, NTT and Symantec took part.
Even then, many experts wrote that even if at first Microsoft managed to disable the TrickBot infrastructure, most likely, the botnet will still "survive", and eventually its operators will put into operation new control servers, continuing their activity.
Also I just looked and they pushed a new server list with 100% working servers.
– MalwareTech (@MalwareTechBlog) October 20, 2020
Microsoft representatives have now published new statement, generally confirming the correctness of the experts and the story of the second wave of actions aimed at eliminating TrickBot. The company reports that thanks to the efforts of specialists, over the past week, malware has lost 94% of its control servers (120 out of 128), including new ones that were put into operation after the operation began.
One of the company's vice presidents, Tom Burt, said that during this time, Microsoft shut down 62 of the 69 original TrickBot C&C servers, as well as 58 of the 59 servers the hackers tried to bring back into service after the operation began.
The seven servers that the specialists failed to eliminate are mainly related to the Internet of Things (IoT). These devices could not be taken offline because they are not under the control of hosting companies or data centers, and it was not possible to contact their owners. Experts write that they are already coordinating with local Internet providers and working on this problem.
In a new message, Burt expressed his gratitude to Microsoft engineers, as well as the company's lawyers, who quickly provided new court orders that allowed them to eliminate the botnet servers in a matter of days. Let me remind you that the whole operation became possible precisely due to the fact that Microsoft representatives went to court with the requirement to transfer control over the identified TrickBot servers to the company.
However, the botnet is currently still "alive", although significantly weakened. According to Intel 471, the remnants of TrickBot C&C servers are located in Brazil, Colombia, Indonesia and Kyrgyzstan. At the same time, Microsoft says it will permanently shut down the TrickBot infrastructure prior to the US presidential election on November 3, 2020. Experts say they are trying to prevent TrickBot operators from renting access to infected devices from other hack groups, as has happened in the past.
Interestingly, this large-scale assassination attempt did not seem to bother the TrickBot operators themselves, who in the last week have not only been rebuilding infrastructure, but have also tried add to the list of their victims using the partner botnet Emotet.