TrickBot Operators Show Signs of Pivoting After Takedown Attempt
U.S. Cyber Command and a team of companies and organizations led by Microsoft delivered a one-two punch in recent weeks against TrickBot, one of the world’s largest botnets.
In the last couple days, however, TrickBot spamming campaigns have started up again.
While that might make it seem like the takedown efforts—which included hacking TrickBot’s command-and-control servers and taking control of infrastructure through a creative legal move—were unsuccessful, security researchers say it effectively severed the operator’s access to existing infections. “Their work got nuked,” said one Recorded Future security analyst who has been researching TrickBot’s evolution. “They can’t steal credentials, banking information, or ransom a massive set of victims, and have to go back to square one.” Security experts feared the botnet, believed to be controlled by Russian cybercriminals, could be used to sow confusion in the lead-up to the presidential election, The Washington Post reported.
It also seems to have thrown a wrench in the way that TrickBot operators work. TrickBot’s threat actors are rebuilding the botnet—or a vast network of infected computers and devices used to deploy ransomware and steal sensitive information—and appear to be pivoting to a more resilient infrastructure, according to new research from Recorded Future.
For example, the botnet post-takedown appears to be less reliant on MikroTik routers, which if unpatched can be easily compromised using readily available exploits and turned into command-and-control servers. The disruption also forced TrickBot operators to move away from controllers operating on port 449, which could potentially help harden against detection, the analyst said.
“The changes we’ve seen over the last two days are the biggest changes we've seen to TrickBot over the last two years,” he said. “The general sense is the infrastructure side is going through a big shift.”
Because TrickBot has grown to become one of the largest malware-as-a-service operations, it’s relatively easy for security researchers to lay traps and collect TrickBot malware samples from its massive spam campaigns. Researchers and victims can decrypt the obfuscated malware using free tools, and upload it onto malware scanning and analysis services that are widely available.
Recorded Future researchers collected historic monthly samples dating back from the last two years. By comparing those samples, one can analyze how TrickBot has evolved over time. The results: “Their infrastructure team was doing the bare minimum to keep it moving,” the analyst said.
Although the takedown efforts didn’t permanently stop TrickBot, it gave the operators a lot of work to do—and that might have been the intent.
ZDNet reported this week that security researchers involved in the effort didn't expect to completely defang TrickBot in one hit. A senior Microsoft employee told the publication that he anticipated TrickBot would attempt to restart operations, and that it would be met with additional legal and technical steps from the coalition.
Adam Janofsky is the founding editor-in-chief of The Record by Recorded Future. He previously was the cybersecurity and privacy reporter for Protocol, and prior to that covered cybersecurity, AI, and other emerging technology for The Wall Street Journal.