Microsoft’s Defender team, FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, and Broadcom’s cyber-security division Symantec joint the forces and announced today a coordinated effort to take down the command and control infrastructure of the infamous TrickBot botnet.
The experts that participated in the takedown have supported the investigation into TrickBot’s backend infrastructure for several months.
“Through our monitoring of Trickbot campaigns, we collected tens of thousands of different configuration files, allowing us to know which websites were targeted by Trickbot’s operators. The targeted URLs mostly belong to financial institutions,” Jean-Ian Boutin, Head of Threat Research at ESET.
“Trying to disrupt this elusive threat is very challenging as it has various fallback mechanisms, and its interconnection with other highly active cybercriminal actors in the underground makes the overall operation extremely complex.”
The security firms have collected more than 125,000 TrickBot malware samples and mapped the command and control infrastructure. The TrickBot botnet was considered by security experts one of the biggest botnets.
Internet service providers (ISPs) and computer emergency readiness teams (CERTs) around the world also supported the operation by notifying all infected users.
The information gathered by the security firm was used by Microsoft to receive a warrant to takedown the TrickBot servers.
“We took today’s action after the United States District Court for the Eastern District of Virginia granted our request for a court order to halt Trickbot’s operations.” reads the post published by Microsoft.
“With this evidence, the court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the TrickBot operators to purchase or lease additional servers,”
This is the second-ever major botnet takedown operation this year, after Necurs one in March.
Microsoft pointed out that this takedown represents a new legal approach that its DCU used for the first time, it includes copyright claims against Trickbot’s operators that have illegally used the software code of the IT giant. Microsoft has chosen this approach to take civil action against botnet operators and protect its customers across the world.
According to the security firms that took part in the operation, the TrickBot botnet had infected more than one million devices at the time of its takedown.
Trickbot has been active since 2016, at the time the authors of the author designed it to steal banking credentials. Over the years, the threat evolved and its operators implemented a modular structure that allowed them to offer the threat as malware-as-a-service. The Trickbot infrastructure was used by crooks to compromise systems and carry out human-operated campaigns, notably its use for the deployment of the Ryuk ransomware.
The malware first started out in 2016 as a banking trojan before shifting into a multi-purpose malware downloader that infected systems and provided access to other criminal groups using a business model known as MaaS (Malware-as-a-Service).
The TrickBot operators also deployed banking trojans and info-stealer trojans and were providing access to corporate networks for crooks focused on scams and cyber espionage.
“The action against Trickbot is one of the ways in which Microsoft provide real-world protection against threats. This action will result in protection for a wide range of organizations, including financial services institutions, government, healthcare, and other verticals from malware and human-operated campaigns delivered via the Trickbot infrastructure.” concludes Microsoft.
(SecurityAffairs – hacking, Trickbot)