Microsoft and U.S. Cyber Command try to take down TrickBot

David Strom 22 Oct 2020

Private and public sectors come together for botnet removal effort

TrickBot, a malware network that is often described as one of the world’s largest with at least a million PCs, is once again in the news. Earlier this month, the botnet was the focus of two independent efforts to take it down: from Microsoft and from the US Cyber Command.

Both of these efforts were aimed at a preemptive strike in advance of the November election and weren’t completely successful: TrickBot’s operators were able to reclaim access to their computers within half a day after Cyber Command sent out phony updates to the component PCs on the network that took them offline. But what is newsworthy is how the two organizations worked to try to stop the botnet’s activities.

While the botnet hasn’t been used against any election computing network, DoD was concerned that it could be so deployed because its origins point to being Russian state-sponsored. The Cyber Command has been focused lately on engaging directly with malware groups, as mentioned in this Foreign Affairs post from this past summer co-authored by General Paul Nakasone, the Director of the NSA. “We learned that we cannot afford to wait for cyber attacks to affect our military networks. We learned that defending our military networks requires executing operations outside our military networks. The threat evolved, and we evolved to meet it,” he wrote.

TrickBot is often the first sign of an attack that includes other malware campaigns. In July, researchers found that its creators had added a module for stealing data from browser sessions, while at the same time alerting users that it was doing something wrong. That perhaps was a bug, not a feature! In June, researchers came across an attack email that leveraged a fake Black Lives Matter voting campaign to distribute TrickBot malware. Back in 2019, 22 Texas town government networks were infected with TrickBot. That was just the beginning of the attack: the infection brought about the Sodinokibi ransomware. To get an idea of how pervasive TrickBot is, the Feodo tracker keeps count of the actual host IP addresses that have been compromised by TrickBot (along with other malware campaigns). You can see dozens of current attack origins within the past few weeks. One researcher quoted by Brian Krebs says the botnet has stolen more than 7M users’ credentials over its tenure.

The origins of TrickBot

TrickBot first appeared in 2016 as banking malware and was primarily used to steal online banking credentials. It works by hijacking a user’s browser and then copying the banking login details without the user’s knowledge. It has often been associated with Emotet and Ryuk ransomware strains, and this post by Intel471 researchers explores that relationship.  It is precisely this relationship with these ransomware attacks that got both Microsoft (along with other infosec partners) and the DoD worried about its use.

Microsoft analyzed more than 60,000 TrickBot samples. It has tracked its evolution and shows how the botnet has become the core of a “malware-as-a-service” criminal enterprise. They say “TrickBot has been the most prolific malware operation using COVID-19 themed lures.” What is interesting and novel about Microsoft’s takedown effort is that it began with a lawsuit in the US District Court in Virginia to disable a set of particular IP addresses. The lawsuit claimed that TrickBot infringed on Microsoft’s copyrighted code. Microsoft worked with a number of other security firms, including ESET and NTT to disrupt TrickBot’s operations.

HP’s security team has also tracked its evolution this summer, from being a simple malware downloader to a more sophisticated “dropper” where the malware payload is hidden inside its executable file and makes it harder to discover. HP said the most recent TrickBot versions were detected by just a few scanners, with some of them managing to avoid any detection whatsoever. Other security researchers have found more than two dozen different code modules, with some being used to harvest passwords from various applications.

Looking ahead

Clearly, the TrickBot attempted takedown is just a sign of things to come. What is interesting is how the private and public sector has worked in tandem, using new strategies such as copyright violations and military-grade operations.

Related articles

--> -->