Representative of a coalition of technology companies made a public statement that as a result of a coordinated effort, they, together with government organizations, have eliminated the TrickBot malware infrastructure.
Microsoft, ESET, Symantec and their partners write that they spent many months collecting more than 125,000 TrickBot samples, 40,000 configuration files and at least 28 individual plugins, then analysed their contents, extracting and mapping information about the internal work of malware, including servers, used by the botnet to manage infected machines and service additional modules.
As a result, after collecting and structuring the information, Microsoft representatives went to court this month demanding to transfer control over the TrickBot servers to the company.
“Based on the presented evidence, the court allowed Microsoft and its partners to deactivate IP addresses, make content stored on control servers inaccessible, cut off botnet operators from all services, and stop any attempts by TrickBot operators to purchase or rent additional servers”, — said in the company’s statement.
Currently, TrickBot-affected users around the world are trying to notify of the infection through Internet providers and regional CERTs.
Bleeping Computer notes that the Trickbot outages did begin in late September 2020, when the compromised computers received an update that disconnected them from the botnet, as the C&C server address changed to 127.0.0.1 (localhost).
It is worth noting that last week the Washington Post reported that experts from the US Cyber Command also conducted their own operation against TrickBot, related to the upcoming presidential elections.
Apparently, this operation was not coordinated with information security specialists: The New York Times writes about this, as well as ESET specialists, who directly stated to Bleeping Computer, that the coalition, of course, passed the collected information to law enforcement agencies, but they are not aware about any connection between the two operations.
It seems that law enforcement officers could have used the information received from information security specialists, but did not know that they also launched a full-scale campaign against TrickBot.
It is worth mentioning that the US government considers ransomware to be one of the main threats to the 2020 presidential elections, since operators of such attacks can take information about voters and election results “hostage” and influence electoral systems.
However, journalists note that the current liquidation of the botnet’s infrastructure does not mean its final “death”.
“Currently it is impossible to know how the Trickbot operators will react. We know that some of the C&C servers used to send commands and update bots have stopped responding. They will have to work hard to regain control of all compromised hosts”, — said Jean-Ian Boutin, Head of Threat Research at ESET.
Typically, attackers have fallback mechanisms to keep the botnet afloat and regain control of the infected machines. Researchers also say that Trickbot may recover, although its operators have a lot of work to do.
“While the botnet disruption did affect the normal flow of TrickBot infections, the group appears to have been able to quickly recover and adapt by resuming their normal activities”, — writes Vitali Kremez, an Advanced Intel expert who has long tracked botnet activity.
Over the past four years, TrickBot has infected more than a million computers worldwide, according to coalition members. Trickbot, once a common banking Trojan, has become a botnet that spreads all kinds of malware. For example, in 2019, the malware company used the Emotet botnet for distribution and later delivered Ryuk ransomware victims to the machines.
Let me remind you that, according to a Check Point report, TrickBot became the second most aggressive malware in the world in September 2020.