Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

03:20 PM

Security Firms & Financial Group Team Up to Take Down Trickbot

Microsoft and security firms ESET, Black Lotus Labs, and Symantec collaborated with the financial services industry to cut off the ransomware operation's C2 infrastructure.

Technology and security companies teamed up with the financial services and telecommunications industries to disrupt the command-and-control (C2) infrastructure used to manage the well-known Trickbot ransomware to infect more than a million computing devices, the firms behind the takedown said on Monday. 

Microsoft worked with security researchers from ESET, Lumen's Black Lotus Labs, and Broadcom's Symantec to identity key components of Trickbot's C2 and sever the ransomware's ability to connect to infected systems. The companies worked with the Financial Services Information Sharing and Analysis Committee (FS-ISAC) to obtain a court order that allowed telecommunications firms to shut down the servers on which the operation relied.

Related Content:

Trickbot Operators Now Selling Attack Tools to APT Actors

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Emotet 101: How the Ransomware Works -- and Why It's So Darn Effective

The group believes its efforts will hobble the botnet's operations and make efforts to reinfect systems much more difficult, says Jean-Ian Boutin, head of threat research at security firm ESET.

"By trying to disrupt the normal operations of the Trickbot botnet, we hope that it will result in a decrease in the offering of potential ransomware victims," he says. "As Trickbot was a platform for cybercriminals to pick their next ransomware target, by making it unavailable we hope to see a decrease in these devastating attacks."

Trickbot is a modular infection platform that has been distributed through phishing, and by using other infectors, such as Emotet, to install Trickbot. ESET, for example, collected 28 different plug-in modules for the platform that, among other things, collect credentials, modify network traffic, and spread to other systems. 

Once on a system, Trickbot has often been used as a banking Trojan, stealing victims' credentials and using them to gain access to banks. The software also often uses web injects, a technique that allows the attacker to control what a victim sees while on a particular site. An infected system, for example, may not display the victim's true banking balance but instead display the balance the attacker wants them to see.

In March, Trickbot's operators switched their focus from attacks on financial institutions to ransomware. The Ryuk ransomware — which infected a number of cities, healthcare facilities, and schools — is often installed by Trickbot.

"The criminal gang behind Trickbot has regularly updated its malicious software, adding modules with new functionality to increase its effectiveness and potential to cause harm," researchers from Black Lotus Labs, a part of enterprise technology company Lumen, said in their analysis. "They have incorporated tools such as Mimikatz and Cobalt Strike — often used by penetration testers and criminal attackers — to map victim networks, steal operating system credentials, and spread inside organizations."

Microsoft and the FS-ISAC were defendants in the civil case against the Trickbot operators. The software giant had concerns that the platform could be used to attack election sites and machinery ahead of the US presidential election. 

"As the United States government and independent experts have warned, ransomware is one of the largest threats to the upcoming elections," Tom Burt, corporate vice president of customer security and trust for Microsoft, said in a blog post. "Adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust." 

Microsoft analyzed 61,000 samples of the Trickbot malware. Other companies lent their analyses to the effort as well. The ransomware platform has widely used COVID-themed phishing attacks to convince users to click on malicious links or open malware, Microsoft said.

Monday's action followed Microsoft and the FS-ISAC suing the Trickbot operators in the United States District Court for the Eastern District of Virginia, which granted their request for a court order to take down the servers at specific IP addresses identified by the companies' investigation. 

"This action also represents a new legal approach that our [Digital Crimes Unit] is using for the first time," Microsoft stated in its blog post. "Our case includes copyright claims against Trickbot's malicious use of our software code. This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place."

Civil lawsuits have become the focus on Microsoft's efforts to stop massive cybercriminal operations. While the participants in the latest takedown hope to see the criminals behind the malicious program prosecuted, often the perpetrators do not face justice.  

For companies, the best steps to take are defensive, says ESET's Boutin, who published his own analysis on the attack.

"The best way to protect your organization is to not get compromised in the first place," he says. "A typical infection vector for malware families like Trickbot, that are known to drop ransomware, is malicious emails. On top of endpoint security, hardening security of email systems so that they can detect malicious emails before they arrive in the target's inbox is a good investment." 

Microsoft fully expects the Trickbot operators to make a comeback, albeit slowly.

"We fully anticipate Trickbot's operators will make efforts to revive their operations, and we will work with our partners to monitor their activities and take additional legal and technical steps to stop them," Microsoft stated.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.