Microsoft says it, and several tech companies, have at least temporarily taken down the Trickbot botnet, a Russian-based network of devices that has infected more than a million computers since 2016 and is behind scores of ransomware attacks.
“We disrupted Trickbot through a [U.S.] court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world,” Microsoft said in a statement Monday. “We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.”
Other tech companies involved in the effort included ESET, Lumen’s Black Lotus Labs, NTT and Symantec. Also involved was the Financial Services Information Sharing and Analysis Center (FS-ISAC).
Microsoft says these moves represent a legal approach that its Digital Crimes Unit is using for the first time to get the court order: Copyright claims against Trickbot’s malicious use of its software code. “This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place.”
Criminals being well-funded and with the ability to find other systems to host their malware, it isn’t clear how long Trickbot will be out of commission. In fact, Microsoft took care to say it has “disrupted” the botnet. “We fully anticipate Trickbot’s operators will make efforts to revive their operations,” Microsoft acknowledged, adding, “we will work with our partners to monitor their activities and take additional legal and technical steps to stop them.”
Cyber criminals are tenacious. The re-birth of the Emotet botnet in 2019 is a recent example. It was down for four months after its command and control (C&C) servers had been shut down — either by law enforcement or a security researcher. But operators may have shut it down to rebuild the infrastructure.
UPDATE: ZDNet reports that the Trickbot operators have replaced the seized domains and command and control servers with new infrastructure.
In a statement, ESET said that over the years Trickbot compromises have been reported in a steady manner, making it one of the largest and longest-lived botnets. “Trickbot is one of the most prevalent banking malware families, and this malware strain represents a threat for internet users globally,” said Jean-Ian Boutin, the company’s head of threat research.
“Throughout its existence, this malware has been distributed in a number of ways. Recently, a chain we observed frequently is Trickbot being dropped on systems already compromised by Emotet, another large botnet. In the past, Trickbot malware was leveraged by its operators mostly as a banking trojan, stealing credentials from online bank accounts and trying to perform fraudulent transfers.”
What makes Trickbot so dangerous, says Microsoft, is its modular capabilities that constantly evolve, infecting victims through a “malware-as-a-service” model. “Its operators could provide their customers access to infected machines and offer them a delivery mechanism for many forms of malware, including ransomware. Beyond infecting end-user computers, Trickbot has also infected a number of “Internet of Things” devices, such as routers, which has extended Trickbot’s reach into households and organizations.”
Trickbot’s operators can also quickly tailor its spam and spear-phishing campaigns. Recent messaging topics have included Black Lives Matter and COVID-19. Microsoft believes Trickbot has been the most prolific malware operation using COVID-19 themed lures.
Trickbot is also known to deliver the Ryuk crypto-ransomware.
