Security News
Days after the US Government took steps to disrupt the notorious TrickBot botnet, a group of cybersecurity and tech companies has detailed a separate coordinated effort to take down the malware's back-end infrastructure. Microsoft and its partners analyzed over 186,000 TrickBot samples, using it to track down the malware's command-and-control infrastructure employed to communicate with the victim machines and identify the IP addresses of the C2 servers and other TTPs applied to evade detection.
These were servers that Microsoft had tied back to the operation of a large, long-lived and destructive zombie network known as Trickbot. Sadly, we've had to write about Trickbot many times over the years, as the criminals behind the operation have spammed out wave after wave of deviously constructed emails under a wide variety of guises, all with the ultimate goal of infecting as many victims as possible with zombie malware.
An order granted by the US District Court for Eastern Virginia authorised Microsoft and chums to "Disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers." Jean-Ian Boutin, head of threat research, said: "Over the years we've tracked it, Trickbot compromises have been reported in a steady manner, making it one of the largest and longest-lived botnets out there. Trickbot is one of the most prevalent banking malware families, and this malware strain represents a threat for internet users globally."
Microsoft on Monday revealed that it worked together with industry partners to shut down the infrastructure used by TrickBot operators and block efforts to revive the botnet. The Washington Post reported last week that the U.S. Cyber Command too attempted to hack TrickBot's C&C servers, in an attempt to take the botnet down to prevent attacks seeking to disrupt the U.S. presidential elections.
"We disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world. We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems," shared Tom Burt, corporate VP, Customer Security and Trust, Microsoft. "In recent times, Trickbot has been implicated in targeted ransomware attacks, where credentials stolen by the malware were used by the Ryuk ransomware operators to compromise victims' networks and encrypt all accessible computers. This assessment has been confirmed by Europol, which recently noted that 'the relationship between Emotet , Ryuk and Trickbot is considered one of the most notable in the cybercrime world'," Symantec researchers noted.
Microsoft Corp. has executed a coordinated legal sneak attack in a bid to disrupt the malware-as-a-service botnet Trickbot, a global menace that has infected millions of computers and is used to spread ransomware. A court in Virginia granted Microsoft control over many Internet servers Trickbot uses to plunder infected systems, based on novel claims that the crime machine abused the software giant's trademarks.
The Trickbot operation started hitting serious snags towards the end of September when enslaved computers received an update that cut them off from the botnet by changing the command and control server address to 127.0.0.1. On October 10, The Washington Post reported that the U.S. Cyber Command carried out a campaign seeking to disrupt the Trickbot botnet ahead of the presidential elections.
The Trickbot operation started hitting serious snags towards the end of September when enslaved computers received an update that cut them off from the botnet by changing the command and control server address to 127.0.0.1. On October 10, The Washington Post reported that the U.S. Cyber Command carried out a campaign seeking to disrupt the Trickbot botnet ahead of the presidential elections.
A new report Friday says the coordinated attack was part of an operation carried out by the U.S. military's Cyber Command. On October 2, KrebsOnSecurity reported that twice in the preceding ten days, an unknown entity that had inside access to the Trickbot botnet sent all infected systems a command telling them to disconnect themselves from the Internet servers the Trickbot overlords used to control compromised Microsoft Windows computers.
The crooks running the Trickbot botnet typically use these config files to pass new instructions to their fleet of infected PCs, such as the Internet address where hacked systems should download new updates to the malware. "This possibly means central Trickbot controller infrastructure was disrupted. The close timing of both events suggested an intentional disruption of Trickbot botnet operations."