A coalition of tech companies made a public announcement and revealed a coordinated effort to dismantle the infrastructure of the TrickBot botnet. The team's specialists took part in the operation against the botnet Microsoft Defender, Non-profit organization FS-ISAC, and ESET, Lumen, NTT and Symantec…
Microsoft, ESET, Symantec and their partners write that they spent many months collecting more than 125,000 TrickBot samples, 40,000 configuration files and at least 28 individual plugins, then analyzing their contents, extracting and mapping information about the internal work of malware, including servers. used by the botnet to manage infected machines and service additional modules.
As a result, having collected and structured information, this month Microsoft representatives went to court with the requirement to transfer control over the TrickBot servers to the company.
"Based on the evidence presented, the court allowed Microsoft and its partners to deactivate IP addresses, make content stored on control servers inaccessible, cut off botnet operators from all services, and stop any attempts by TrickBot operators to purchase or rent additional servers," the statement said. companies.
Currently, TrickBot affected users around the world are trying to notify of the infection through Internet providers and regional CERTs.
Edition Bleeping computer notes that the Trickbot outages did begin in late September 2020, when the compromised computers received an update that disconnected them from the botnet, as the C&C server address changed to 127.0.0.1 (localhost).
It is noteworthy that last week the newspaper Washington Post reported that the experts of the US Cyber Command also conducted their own operation against TrickBot, associated with the upcoming presidential elections.
Apparently, this operation was not coordinated with information security specialists: he writes about this The New York Times, and also say experts of the company ESET, who bluntly told Bleeping Computer that the coalition, of course, passed the collected information to law enforcement agencies, but they do not know about any connection between the two operations. It seems that law enforcement officers could have used the information received from information security specialists, but did not know that they also launched a full-scale campaign against TrickBot.
It is worth mentioning that the US government considers ransomware to be one of the main threats to the 2020 presidential elections, as operators of such attacks can take information about voters and election results "hostage" and influence electoral systems.
However, journalists note that the current liquidation of the botnet infrastructure does not mean its final "death". Typically, attackers have fallback mechanisms to keep the botnet afloat and regain control of infected machines. Researchers also say that Trickbot may recover, although its operators have a lot of work to do.
“At the moment it is impossible to know how the Trickbot operators will react. We know that some of the C&C servers used to send commands and update bots have stopped responding. They will have to work hard to regain control of all compromised hosts, ”said Jean-Ian Boutin, Head of Threat Research at ESET.
“While the botnet disruption did affect the normal flow of TrickBot infections, the group appears to have been able to quickly recover and adapt by resuming their normal activities,” writes Vitali Kremez, an Advanced Intel expert who has long tracked botnet activity.
Over the past four years, TrickBot has infected more than a million computers worldwide, according to coalition members. Trickbot, once a common banking Trojan, has become a botnet that spreads all kinds of malware. For example, in 2019, the malware company used the Emotet botnet for distribution and later delivered Ryuk ransomware victims to the machines.