94% of the TrickBot malware infrastructure is shut down, but it is still active

We recently talked about a massive operation aimed eliminating one of the largest botnets of our days, TrickBot, in which participated law enforcements, specialists from the Microsoft Defender team, FS-ISAC non-profit organization, as well as ESET, Lumen, NTT and Symantec. But it turned out that the TrickBot botnet is still active, and its operators are quietly continuing to expand the list of victims.

Even then, many experts wrote that though at first Microsoft managed to disable the TrickBot infrastructure, most likely the botnet will still “survive”, and eventually its operators will put new control servers into operation, continuing their activity.

“TrickBot cycles through the entire server list until it finds a working server. As long as even 1 server on the list is online they can just push out a new config with more servers. Also I just looked and they pushed a new server list with 100% working servers”, – wrote MalwareTech experts on Twitter.

Now Microsoft representatives have released a new statement, generally confirming the correctness of the experts and the story of the second wave of actions aimed at eliminating TrickBot. The company reports that thanks to the efforts of specialists, over the past week, malware has lost 94% of its control servers (120 out of 128), including new ones that were activated after the operation began.

One of the company’s vice presidents, Tom Burt, said that during this time, Microsoft shut down 62 of the 69 original TrickBot C&C servers, as well as 58 of the 59 servers the hackers tried to bring back into service after the operation began.

The seven servers that the specialists failed to eliminate are mainly related to the Internet of Things (IoT).

“These devices could not be taken offline because they are not under the control of hosting companies or data centers, and it was not possible to contact their owners”, – wrote Tom Burt.

Experts write that they are already coordinating with local Internet providers and working on this problem.

In a new message, Burt expressed his gratitude to Microsoft engineers, as well as the company’s lawyers, who quickly provided new court orders that allowed them to eliminate the botnet servers in a matter of days. Let me remind you that the whole operation became possible precisely due to the fact that Microsoft representatives went to court demanding that the company transfer control over the identified TrickBot servers.

However, the botnet is currently still “alive”, although significantly weakened. According to Intel 471, the remnants of TrickBot C&C servers are located in Brazil, Colombia, Indonesia, and Kyrgyzstan. At the same time, Microsoft says it will permanently shut down the TrickBot infrastructure prior to the US presidential election on November 3, 2020.

Experts say that they are trying to prevent TrickBot operators from renting access to infected devices to other hack groups, as it happened in the past.

Interestingly, this large-scale assassination attempt did not seem to bother the TrickBot operators themselves, who over the past week have been not only rebuilding infrastructure, but also were trying to expand the list of their victims with the help of the partner botnet Emotet.