Skip to main content

The Avengers of security teamed up to try and take down the TrickBot botnet

(Image credit: Shutterstock / Jaiz Anuar)

The backend infrastructure of the TrickBot botnet has been disabled thanks to the work of Microsoft and a coalition of security firms and telecoms.

The software giant's Defender team worked together with FS-ISAC, ESET, Lumen's Black Lotus Labs, NTT and Broadcom's cybersecurity division Symantec to accomplish the feat which took months of preparation.

First spotted in 2016, TrickBot was initially a banking trojan that was a successor to Dyre before it evolved to perform a number of other malicious activities including spreading laterally through a network, stealing saved credentials in browsers, stealing cookies and infecting Linux machines.

The malware is usually delivered via email campaigns that leverage current events or financial lures in order to trick users into opening malicious file attachments or links to websites hosting malicious files. After infecting a system with TrickBot, cybercriminals then used it to install reconnaissance tools such as PowerShell Empire, Metasploit and Cobalt Strike to steal credentials and network configuration information.

Taking down TrickBot

In order to take down the TrickBot botnet, Microsoft, ESET, Symantec and other partners spent months collecting over 125,000 samples of the malware. They then analyzed these samples and extracted and mapped information about how the malware worked including the servers the botnet used to control infected computers.

After collecting this information on TrickBot's inner workings, Microsoft then went to the US District Court for the Eastern District of Virginia where the company asked a judge to grant it control over the botnet's servers. 

Corporate vice president of customer security and trust at Microsoft, Tom Burt provided further insight on how the company used the court's ruling to disable TrickBot's backend infrastructure in a blog post, saying:

“As we observed the infected computers connect to and receive instructions from command and control servers, we were able to identify the precise IP addresses of those servers. With this evidence, the court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers.”

While TrickBot appears to be out of commission for now, the botnet could return as other botnets have managed to survive similar takedown attempts in the past. Only time will tell if Microsoft and its partner's efforts were successful though even then, another botnet will likely rise up to take TrickBot's place.

Via ZDNet