Microsoft’s Defender team, FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, and Broadcom’s cyber-security division Symantec joined the forces and announced last week a coordinated effort to take down the command and control infrastructure of the infamous TrickBot botnet.
Even if Microsoft and its partners have brought down the TrickBot infrastructure TrickBot operators attempted to resume the operations by setting up new command and control (C&C) servers online.
Microsoft provided an update on its takedown efforts and announced a new wave of takedown actions against TrickBot.
According to the IT giant, the operation conducted last week has taken down 94% of the servers composing the Trickbot infrastructure. Trickbot enables ransomware attacks which have been identified as one of the biggest threats to the upcoming U.S. elections.
“We initially identified 69 servers around the world that were core to Trickbot’s operations, and we disabled 62 of them. The seven remaining servers are not traditional command-and-control servers but rather internet of things (IoT) devices Trickbot infected and was using as part of its server infrastructure; these are in the process of being disabled. As expected, the criminals operating Trickbot scrambled to replace the infrastructure we initially disabled. We tracked this activity closely and identified 59 new servers they attempted to add to their infrastructure.” said Tom Burt, CVP of Customer Security and Trust at Microsoft. “We’ve now disabled all but one of these new servers. In sum, from the time we began our operation until October 18, we have taken down 120 of the 128 servers we identified as Trickbot infrastructure around the world.”
Microsoft has taken down 120 of the 128 servers that were composing the Trickbot infrastructure.
Microsoft announced to have taken down 62 of the original 69 TrickBot C&C servers, seven servers that could not be brought down last week were Internet of Things (IoT) devices.
Microsoft also revealed that operators tried to resume the operations, The company brought down 58 of the 59 servers the operators attempted to bring online after the recent takedown.
Burt praised the role of Microsoft’s lawyers who quickly requested new court orders to take down the new servers set up by the Trickbot operators in response to the takedown.
“We have identified new Trickbot servers, located their respective hosting provider, determined the proper legal methodology to take action, and completely disabled those servers in less than three hours. Our global coordination has allowed a provider to take quick action as soon as we notify them – in one case, in less than six minutes.” continues the expert. “What we’re seeing suggests Trickbot’s main focus has become setting up new infrastructure, rather than initiating fresh attacks, and it has had to turn elsewhere for operational help.”
Currently, a few Trickbot C2 servers are still active and operators are using them to control the botnet. Researchers from cyber-security firm Intel 471 reported that these servers are based in Brazil, Colombia, Indonesia, and Kyrgyzstan, and that they still are able to respond to Trickbot bot requests.
“This small number of working control servers was not listed in the most recent distributed Trickbot sample.” states Intel 471.
Burt pointed out that TrickBot operators are working to restore their infrastructure instead of conducting new attacks.
“We fully expect that Trickbot’s operators will continue looking for ways to stay operational, and we and our partners will continue to monitor them and take action.” Microsoft concludes. “We encourage others in the security community who believe in protecting the elections to join the effort and share their intelligence directly with hosting providers and ISPs that can take Trickbot’s infrastructure offline.”
(SecurityAffairs – hacking, botnet)