But Some Researchers Say Botnet’s Operators Using Workarounds to Restore Activity
The locations where Microsoft found Trickbot command-and-control servers and IoT devices. (Source: Microsoft)
Microsoft and its partners are continuing to put pressure on the Trickbot malware operation, eliminating an estimated 94% of its infrastructure, according a Tuesday update from the company.
But some security researchers warn that the botnet’s operators are developing workarounds to re-establish its infrastructure, enabling the group to resume its activities.
“As of October 18, we’ve worked with partners around the world to eliminate 94 percent of Trickbot’s critical operational infrastructure, including both the command-and-control servers in use at the time our action began and new infrastructure Trickbot has attempted to bring online,” says Tom Burt, Microsoft’s corporate vice president for customer security and trust.
Microsoft initially identified 69 servers around the world it believes were core to Trickbot’s operation and disabled 62, Burt says. The seven remaining servers are IoT devices Trickbot infected to use as part of its server infrastructure, and Microsoft is attempting to disable these as well.
“We will continue to do this between now and election day on November 3,” Burt says. “Additionally, our partners and the hosting providers have been sharing information that has uncovered more command-and-control servers.”
Wizard Spider’s Activities
Some cybersecurity firms have reported that Trickbot’s operators, a group known as Wizard Spider, immediately began rebuilding its infrastructure using servers located outside of the U.S. that it still controlled even after Microsoft’s initial takedown actions earlier this month (see: Trickbot Rebounds After ‘Takedown’).
“So far, we have not yet seen the same levels [of Trickbot activity] as we did in early September, but we can confirm that TrickBot is almost as prevalent right now,” Jerome Segura, director of threat intelligence at Malwarebytes, said Tuesday.
Meanwhile, the security research firm Intel471 reports that as of Tuesday, Trickbot retained control of a small number of servers in Brazil, Colombia, Indonesia and Kyrgyzstan.
Microsoft’s Trickbot Takedown
On Oct. 12, Microsoft announced a disruption of Trickbot that it said was designed to help protect the upcoming U.S. presidential election and to stop the global spread of ransomware and other malware.
The disruption was intended to disable Trickbot’s infrastructure and make it difficult for its operators to enable ransomware attacks, which have been identified as one of the biggest threats to the upcoming U.S. elections, Burt says.
Microsoft researchers found the criminals operating Trickbot scrambled to replace the infrastructure that was initially disabled. The researchers identified 59 new servers the group attempted to add to their infrastructure, according to the latest Microsoft report.
“We have now disabled all but one of these new servers. In sum, from the time we began our operation until October 18, we have taken down 120 of the 128 servers we identified as Trickbot infrastructure around the world,” Burt says.
Over the years, the botnet has been used to distribute a variety of malicious code, including the Ryuk ransomware variant, which the U.S. government has cited as a potential threat vector against the election.
Microsoft says that although the number of Trickbot servers in operation will continue to change, the company’s efforts will continue to have an impact on the remaining infrastructure.
“This is challenging work, and there is not always a straight line to success,” Burt says. “At the same time, we’re pleased with our progress, and for several reasons I’m optimistic about the outcomes we can achieve.” (See: Analysis: Will Trickbot Takedown Impact Be Temporary?).
Segura of Malwarebytes says: “What we are seeing right now is the classic battle between defenders and criminals. TrickBot can regain momentum as long as it is still able to contact at least one server and share an updated configuration list with new active command and control machines. … Microsoft is probably looking at the long game here, and these setbacks are to be expected.”
Microsoft researchers say they are taking a persistent and layered approach to address Trickbot’s operations around the world.
“This is necessary due to the unique architecture of the Trickbot botnet and the creativity and persistence of the criminals operating it,” the report notes.
Microsoft obtained a court order from the U.S. District Court for the Eastern District of Virginia that allowed it to disable the U.S. servers that hosted Trickbot.
“Since the initial court order we obtained, we’ve gone back to court and secured subsequent orders to take down the newly activated infrastructure,” Burt says
Microsoft’s partners are working to clean and remediate the compromised IoT devices, especially routers, which Trickbot operators use as a command-and-control infrastructure.
“These compromised routers pose a unique challenge for the internet service providers as they must simultaneously work to remediate devices while keeping legitimate traffic uninterrupted, and this delicate work is underway,” Burt says. “We’re working with ISPs and others to also clean devices in people’s homes and businesses that might be infected.”
Trickbot’s Road to Recovery
Once a botnet server infrastructure is eliminated, the attempt to rebuild it is not as simple as setting up new servers, Burt says.
“New servers need to be provisioned to begin talking with the botnet’s infected devices and issuing commands, all of which takes time,” he says. We have identified new Trickbot servers, located their respective hosting provider, determined the proper legal methodology to take action, and completely disabled those servers in less than three hours.”
Burt notes that the Trickbot gang’s main focus is setting up new infrastructure, rather than initiating fresh attacks, and it has looked for operational help.
“We and others have detected the Trickbot operators attempting to use a competing criminal syndicate to drop what were previously Trickbot payloads,” Burt says. “This is one of many signs that suggest to us that, faced with its critical infrastructure under repeated attack, Trickbot operators are scrambling to find other ways to stay active.”
Burt encourages others in the security community “to join the effort and share their intelligence directly with hosting providers and ISPs that can take Trickbot’s infrastructure offline.”
News Editor Doug Olenick contributed to this story.