Security News
The notorious TrickBot has gang has released a new lightweight reconnaissance tool used to scope out an infected victim's network for high-value targets. Over the past week, security researchers began to see a phishing campaign normally used to distribute TrickBot's BazarLoader malware switch to installing a new malicious PowerShell script.
The notorious TrickBot has gang has released a new lightweight reconnaissance tool used to scope out an infected victim's network for high-value targets. Over the past week, security researchers began to see a phishing campaign normally used to distribute TrickBot's BazarLoader malware switch to installing a new malicious PowerShell script.
Efforts to disrupt TrickBot may have shut down most of its critical infrastructure, but the operators behind the notorious malware aren't sitting idle. According to new findings shared by cybersecurity firm Netscout, TrickBot's authors have moved portions of their code to Linux in an attempt to widen the scope of victims that could be targeted.
Most of the servers associated with the TrickBot botnet have been taken down following the technical and legal effort announced last week, Microsoft says. The TrickBot operators, which some say are the hackers that also use Ryuk and Conti ransomware, appeared largely unaffected by the takedown attempt, with only a relatively small percentage of the bots being isolated.
On October 12, Microsoft and its partners announced that they had taken down some Trickbot C2s. This was possible after the U.S. District Court for the Eastern District of Virginia granted a request to take down 19 IP addresses in the U.S. that Trickbot used to control infected computers. "The Emotet bots reached out to their controllers and received commands to download and execute Trickbot on victim machines. The Trickbot group tag that Intel 471 identified is tied to a typical infection campaign that information security researchers have been observing for the past 6 months or more" - Intel 471.
Control servers included in the configuration file of new TrickBot samples fail to respond to bot requests, according to researchers at threat intelligence company Intel 471. Days after the announcement Intel 471's researchers revealed that TrickBot resumed operations, and that Emotet was observed serving TrickBot payloads to infected machines.
The threat actor behind the Ryuk ransomware continues to conduct attacks following the recent attempts to disrupt the TrickBot botnet, CrowdStrike reports. Referred to as WIZARD SPIDER, the adversary has been widely using TrickBot for the distribution of ransomware, and the recent attempts by the U.S. Cyber Command and Microsoft to disrupt the botnet were expected to put an end to such operations.
The TrickBot botnet appears to have resumed normal operations days after Microsoft announced that it managed to take it down using legal means. On October 12, Microsoft and several partners announced that they were able to disrupt the TrickBot infrastructure by legally disabling IP addresses, making servers inaccessible and suspending services employed by the botnet.
The new configuration file pushed on Sept. 22 told all systems infected with Trickbot that their new malware control server had the address 127.0.0.1, which is a "Localhost" address that is not reachable over the public Internet, according to an analysis by cyber intelligence firm Intel 471. U.S. Cyber Command's campaign against the Trickbot botnet, an army of at least 1 million hijacked computers run by Russian-speaking criminals, is not expected to permanently dismantle the network, said four U.S. officials, who spoke on the condition of anonymity because of the matter's sensitivity.
"We disrupted TrickBot through a court order we obtained, as well as technical action we executed in partnership with telecommunications providers around the world," wrote Tom Burt, corporate vice president, Customer Security & Trust, at Microsoft, in a Monday posting. "Its operators could provide their customers access to infected machines and offer them a delivery mechanism for many forms of malware, including ransomware. Beyond infecting end user computers, TrickBot has also infected a number of Internet of Things devices, such as routers, which has extended TrickBot's reach into households and organizations."