Microsoft partnered with FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT and Symantec to take down key infrastructure that supported TrickBot botnet. Somehow, this may not be enough to rein in the threat from this credential-stealing malware.
Microsoft on Monday revealed details of the successful operation against malware-as-a-service botnet TrickBot. The operation, approved through a court order, was carried out against the credential stealing malware which has infected millions of computer systems globally by dismantling backend hardware infrastructure. TrickBot is also one of the biggest cyber risks to the upcoming U.S. presidential elections.Â
A high TrickBot activity was observed this year when its operators used current events like the COVID-19, Black Lives Matter and the U.S. elections as bait to infect users’ systems. Microsoft partnered with Financial Services Information Sharing and Analysis Center (FS-ISAC), ESET, Lumen’s Black Lotus Labs, NTT and Symantec to take down the credential stealing malware.Â
“We disrupted TrickBot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world,†wrote Tom BurtOpens a new window , Corporate Vice President of Customer Security & Trust at Microsoft. “We have now cut off key infrastructure so those operating TrickBot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.â€
TrickBot is notorious not only for its malware-as-a-service capabilities but also for its ability to deliver ransomware payloads onto the target system. Besides delivering payloads, it also swipes off financial data. Besides the U.S. elections, financial services institutions, government agencies, healthcare facilities, businesses and universities are also prime targets of the Trickbot campaign. Â
Mark ArenaOpens a new window , CEO at Intel 471, told The New York Times, “Its [TrickBot’s] operators started cataloging the computers they infected, noting which belonged to large corporations, hospitals and municipalities, and selling access to infected computers to cybercriminals and state actors.â€
See Also: How Is Big Tech Fighting To Save U.S. Elections 2020?
Through months of preparation and research, Microsoft and partners collected over 120,000 malware samples. They were able to narrow down the precise location of the IP address of the TrickBot command and control servers. The orders issued by the Virginia courtOpens a new window granted Microsoft and partners permission to “disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the TrickBot operators to purchase or lease additional servers.â€
These servers can now be used to identifyOpens a new window and remediate Windows systems infected by TrickBot.
Despite the large-scale operation, the threat by TrickBot has not yet been fully mitigated. According to Swiss security site Feodo Tracker, several TrickBot servers are still running rampant. The complete list can be found hereOpens a new window . Microsoft said steps to assuage future threats from TrickBot would be supported by internet service providers (ISPs) and global computer emergency readiness teams (CERTs).
Added some much-needed perspective from Intel 471 on why any attempt to take down Trickbot is likely to fail. tl;dr: Their backup communication method relies on ToR and EmerDNS, which allows the use of domains that can’t be taken down by any authority pic.twitter.com/Pd4fZccvRfOpens a new window
— briankrebs (@briankrebs) October 12, 2020Opens a new window
However, since the TrickBot relies upon The Onion Router (TOR) and EmerDNS, the complete takedown of the malicious program remains dubious at best. This is the second major botnet takedown for 2020 after Necurs in March.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!