After a brief pause, Trickbot rebounds from takedown efforts

Attempts to disrupt the notorious Trickbot botnet, most recently through Microsoft's legal takedown, have proven short-lived as ransomware attacks have resumed.

The reprieve from the infamous ransomware dropper Trickbot was short-lived.

While multiple efforts were made in past months to disrupt the botnet, including one reportedly by the U.S. Cyber Command and another by a private coalition led by Microsoft, CrowdStrike and Intel 471 have reported the return of Trickbot activity. Disrupting the malicious botnet had become a persistent concern due to its ability to steal financial information and banking credentials, but most notably to deploy ransomware.

Prior to the Microsoft legal takedown last week, cybersecurity journalist Brian Krebs reported that unknown actors had launched a technical takedown against the botnet by uploading new configuration files to infected systems; the configuration update swapped Trickbot's command and control server address for a localhost that was not reachable, which prevent the malware from receiving instructions from Trickbot operators, a cybcercrime gang known as Wizard Spider. One week later, The Washington Post reported what many had suspected: the U.S. Cyber Command was behind the Trickbot hack.

While both efforts disrupted the botnet threat, CrowdStrike said in blog post Friday that Trickbot activity has bounced back.

"Since the disruption operation began on September 21, 2020, we have observed a definite impact on the Trickbot network, with almost 10,000 unique downloads of the non-standard configuration identified. However, in spite of this, Trickbot activity has returned to its usual rapid pace, and the impact of the disruption operation was manifested as a short-term setback for WIZARD SPIDER," CrowdStrike wrote in the report.

Additionally, Intel 471 published a blog Thursday that stated, "Trickbot botnet looks to be working once again."

"On October 14, 2020, the Emotet spam botnet -- which is often the precursor to Trickbot being loaded onto a system -- began receiving spam templates intended for mass distribution. These spam templates contained a Microsoft Word document attachment with malicious macros that fetch and load a copy of Emotet onto the victim machine. The Emotet bots reached out to their controllers and received commands to download and execute Trickbot on victim machines. The Trickbot group tag that Intel 471 identified is tied to a typical infection campaign that security researchers have been observing for the past 6 months or more," Intel 471 wrote in the blog.

Short-lived effects

The Intel 471 blog post included information about how the operators behind Trickbot may have worked around the disruption.

"Additionally, Intel 471 researchers saw an update to the Trickbot plugin server configuration file. Fifteen server addresses were added, and two old servers were retained in the configuration, along with the server's .onion address. This was likely done as a fix that would help operators maintain that their infrastructure remains operational."

Intel 471 CEO Mark Arena said it's unclear how the configuration files were used to exploit a weakness with Trickbot, but it he said a similar attack on the botnet could be possible.

"We believe that Trickbot by design allows administrators of Trickbot to send out configuration updates to their bots so there seems to always be a path to send our poisoned configuration updates in an attempt to halt Trickbot infected systems from communication with the cybercriminal's command and control servers," Arena said in an email to SearchSecurity.

UPDATE: Intel 471 published a report Tuesday, titled "Global Trickbot disruption operation shows promise," that tracked the most recent sample of the malware and found it could not connect to any of its intended command and control servers. "Intel 471 believes disruption operations against Trickbot are currently global in nature and have had success against Trickbot infrastructure," the blog post said. "Regardless, there still is a small number of working controllers based in Brazil, Colombia, Indonesia and Kyrgyzstan that still are able to respond to Trickbot bot requests."

In a follow-up statement to SearchSecurity Arena said "The configuration file issue was fixed and altered twice that we saw as per our blog post on Oct 13. The issue for the Trickbot operators isn't so much with the configuration files themselves but the access Cyber Command has to do other things that could impact their operations. Altering the configuration files is just one option of likely many options they could do that could impact the operations of Trickbot."

Adam Meyers, senior vice president of intelligence at CrowdStrike, told SearchSecurity that Wizard Spider reacted quickly to the disruption effort and "addressed issues with their infrastructure in attempts to prevent a repeat attack."

"The disruption involved pushing a null configuration to infected hosts, and this type of attack is difficult to pull off with 100% effectiveness given the nature of how Trickbot is built," Meyers said in an email to SearchSecurity. "Wizard Spider operators were quick to recognize the attempted takedown efforts and reacted to recover and gain new victims within a short time of the takedown beginning."

Arena said Intel 471 didn't expect Microsoft's action to have any medium- or long-term impact due to one reason.

"Microsoft's action looks to have impacted Trickbot servers located in the U.S. only, which were a small amount of their global pool of command and control servers," he said.

While the separate efforts by Microsoft and the U.S. Cyber Command proved only temporary, there are not many long-term options when it comes to taking down malicious malware.

"If you can't arrest someone, the next best option is disruption, which is what both operations achieved at least for the short term," Arena said.

Next Steps

Slilpp marketplace goes dark following government takedown

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing