Researchers Find 2 Fresh Versions Following Takedown Efforts
The gang operating Trickbot is continuing its activities despite recent takedown efforts, rolling out two updates that make the malware more difficult to kill, according to the security firm Bitdefender.
The latest Trickbot versions – 2000016 and 100003 – were rolled out on Nov. 3 and Nov. 18, respectively, with changes that include using a new command-and-control infrastructure based on Mikrotik routers and only using packed modules. The malware was last updated in August, the researchers say.
Version 2000016 was active only about three weeks after Microsoft collaborated with other cybersecurity companies and government agencies to take down the million-device Trickbot botnet, Bitdefender says.
“Completely dismantling Trickbot has proven more than difficult, and similar operations in the past against popular Trojans has proven that the cybercriminal community will always push to bring back into operation something that’s profitable, versatile and popular,” the report states.
“Trickbot might have suffered a serious blow, but its operators seem to be scrambling to bring it back, potentially more resilient and difficult to extirpate than ever before.”
So far, the new versions have been used in attacks in the U.S., Malaysia, Romania, Russia and Malta, Bitdefender says.
A ‘Kneecapping’ Operation
“When Microsoft decided to take down Trickbot before the U.S. elections, fearing the massive botnet could be used to thwart the voting process in some way, the endeavor proved to be more like a ‘kneecapping’ operation rather than cutting the hydra’s heads,” Bitdefender says. “This was likely a short-term tactic, potentially just to make sure that Trickbot wouldn’t cause any issues during the elections.”
The latest version of the malware contains the same full list of modules that was used before the takedown attempt, along with a few changes. For example, it no longer uses a shareDll, or mshareDll, in its packed version. The researchers believe this likely indicates that TrickBot’s operators are moving away from unpacked modules and cleaning up their list of lateral movement modules to only use packed ones.
The action against Trickbot’s infrastructure forced its operators to take some additional steps to help ensure any further efforts to take down the malware were unsuccessful, Bitdefender says (see: Microsoft, Others Dismantle Trickbot Botnet).
For communications between victims and the command-and-control servers, the 2000016 version of TrickBot is digitally signed using the password hashing function bcrypt, Bitdefender says.
This functionality, however, was removed with the release of version 100003. That version of the malware only uses Mikrotik for its command-and-control efforts.
Another safeguard put in place is the use of an EmerDNS domain as a backup in case no known command-and-control server responds, according to the report.
“What’s interesting about this particular domain is that the EmerCoin key (EeZbyqoTUrr4TpnBk67iApX2Wj3uFbACbr) used to administer the server also administers some [command-and-control] servers that belong to the Bazar backdoor. The analyzed sample (82e2de0b3b9910fd7f8f88c5c39ef352) uses the morganfreeman.bazar domain, which has the 188.8.131.52 IP address and running Mikrotik v6.40.4,” the researchers say.
Microsoft reported on Oct. 12 it had obtained a court order from the U.S. District Court for the Eastern District of Virginia that allowed it to disable the servers that hosted Trickbot.
Within just a few days, however, security firms Crowdstrike and Malwarebytes reported the botnet was being reassembled, although activity levels were much lower than before the take-down effort (see: Trickbot Rebounds After ‘Takedown’).