Microsoft and partners are giving TrickBot operators a tough time by taking down 120 of the 128 identified TrickBot servers, which amounts to 94% of its total operational infrastructure. The coalition will continue to monitor and disable newly emerged servers to hackerproof the U.S. presidential elections.
Nearly all of the critical operational infrastructure of the TrickBot botnet has been dismantled, Microsoft revealed on Tuesday. Around 94% infrastructure of this credential-stealing malware has been eliminated and operations reduced to a fraction of its previous level.
Global TrickBot C2 Servers After Microsoft and Partners’ Takedown Last Week
Source : Microsoft
A coalition of Financial Services Information Sharing and Analysis Center (FS-ISAC), ESET, Lumen’s Black Lotus Labs, NTT and Symantec, and headed by Microsoft’s Digital Crimes Unit (DCU) dismantled the TrickBot operation last week.
The operation was undertaken as a precautionary measure against the malware, which is pegged as one of the biggest cyber threats to the upcoming November 3, 2020, U.S. presidential elections. However, days after the initial takedown that disabled TrickBot operators partially, the malware was back in action, as discovered by Intel 471Opens a new window .
The company found out that TrickBot was distributing “Microsoft Word document attachment with malicious macros that fetch and load a copy of Emotet onto the victim machine.â€
Intel 471’s discovery was not unfounded. As reported by Toolbox previously, the botnet, which is also deployed as a ransomware payload delivery tool, is quite resilient owing to its use of The Onion Router (TOR) and EmerDNS. Moreover, the continuous rotation of C2 IP addresses by Trickbot operators also didn’t help.
Intel 471 COO and Cofounder Jason PasswatersOpens a new window said, “About 10 years ago it was much easier to completely take over or significantly disrupt a botnet, but cybercriminals are students of takedowns and have learned to make their operations more resilient to takedown efforts. That’s why every takedown attempt has some potential of giving ground to the adversary. You’re teaching them where the weaknesses in their armor are and they have a team of developers ready to act on that information. So unless you strike a killing blow, you’re not going to impact them long term.â€
See Also: Microsoft & Partners Take Down Data-Stealing Malware TrickBot
Presently, TrickBot operators are trying hard to stay afloat by changing the IPs of control server configuration files with new IP addresses. Intel 471 found the following 16 control servers, five of which are listed below:
| Control Server IP Address | City | Country | Organization |
| 131.153.22.145 | Amsterdam | Netherlands | AS60558 PHOENIX NAP LLC. |
| 185.99.2.123 | Sarajevo | Bosnia and Herzegovina | AS200698 Globalhost d.o.o. |
| 194.5.249.216 | Bucharest | Romania | AS64398 NXTSERVERS SRL |
| 199.38.120.91 | Georgetown | United States | AS35862 JCWIFI.COM |
| 45.89.127.118 | Berlin | Germany | AS30823 combahton GmbH |
Â
Â
Â
Â
Â
All control servers are unresponsive, although responsive ones do exist in Brazil, Colombia, Indonesia and Kyrgyzstan. And even as new ones pop up, Microsoft and the coalition is working to disable them immediately, leaving little or no room for expansion.
TrickBot cycles through the entire server list until it finds a working server. As long as even 1 server on the list is online they can just push out a new config with more servers.
— MalwareTech (@MalwareTechBlog) October 20, 2020Opens a new window
One of the other notorious malware, Emotet also aids TrickBot in its payload deliveries. Microsoft’s Corporate Vice President of Customer Security & Trust Tom BurtOpens a new window said, “We and others have detected the Trickbot operators attempting to use a competing criminal syndicate to drop what were previously Trickbot payloads. This is one of many signs that suggests to us that, faced with its critical infrastructure under repeated attack, Trickbot operators are scrambling to find other ways to stay active.â€
See Also: Emotet Malware Is Back in Action, Strikes France, New Zealand & Japan
As of October 18, 2020, Microsoft said the coalition had taken down 120 of the 128 known TrickBot servers worldwide, after they initially disabled 62 out of 69 identified servers then. This means that there’s a chance that more servers may exist globally.
Burt adds, “These numbers will change regularly as we expect action we’ve already taken will continue to impact the remaining infrastructure and as we and others continue to take new action between now and the election.â€
Microsoft says it took down 94% of TrickBot’s command and control servers
-that’s 120 of 128 servers
-62 of 69 during the original takedown
-58 of 59 from TrickBot’s attempts to rebuild its infrastructure last week pic.twitter.com/vf5UYddpO8Opens a new window— stackpoint3r (@stackpoint3r) October 21, 2020Opens a new window
Besides servers, IoT devices like routers were also identified and disabled. Microsoft is coordinating with internet service providers (ISP) toward this end.
TrickBot will stay alive as long as it has a responsive C2 server, such as the ones in Brazil, Colombia, Indonesia and Kyrgyzstan. Nevertheless, as it stands, TrickBot operators are preoccupied, maybe even distracted with the task of keeping its operations afloat, thereby reducing malicious activities that target the presidential elections. This work, according to Microsoft, “has always been about disrupting Trickbot’s operations during peak election activity.â€
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!