Security News > 2020 > October > TrickBot malware under siege from all sides, and it's working
On October 12, Microsoft and its partners announced that they had taken down some Trickbot C2s. This was possible after the U.S. District Court for the Eastern District of Virginia granted a request to take down 19 IP addresses in the U.S. that Trickbot used to control infected computers.
"The Emotet bots reached out to their controllers and received commands to download and execute Trickbot on victim machines. The Trickbot group tag that Intel 471 identified is tied to a typical infection campaign that information security researchers have been observing for the past 6 months or more" - Intel 471.
"As we continue to cut off these new servers, our partners are also working to clean and remediate the compromised IoT devices, especially routers, that the Trickbot operators are using as non-traditional command-and-control infrastructure" - Microsoft.
In a Trickbot malware sample distributed on October 19, Intel 471 identified 16 new C2 botnet servers dispersed globally, none of them currently responding to requests from infected systems.
Even if these efforts do not cause Trickbot to dwindle into extinction, the botnet may die on its own; but only because threat actors are moving to BazarLoader, a trojan increasingly used by Trickbot operators to target high-value enterprises and deploy Ryuk ransomware on their networks.