Image: CSIS
Last week, a coalition of cyber-security firms led by Microsoft orchestrated a global takedown against TrickBot, one of today’s largest malware botnets and cybercrime operations.
Even if Microsoft brought down TrickBot infrastructure in the first few days, the botnet survived, and TrickBot operators brought new command and control (C&C) servers online in the hopes of continuing their cybercrime spree.
But as several sources in the cyber-security industry told ZDNet last week, everyone expected TrickBot to fight back, and Microsoft promised to continue cracking down against the group in the weeks to come.
In an update posted today on its takedown efforts, Microsoft confirmed a second wave of takedown actions against TrickBot.
94% of TrickBot servers taken down in a week
The OS maker said it has slowly chipped away at TrickBot infrastructure over the past week and has taken down 94% of the botnet’s C&C servers, including the original servers and new ones brought online after the first takedown.
“From the time we began our operation until October 18, we have taken down 120 of the 128 servers we identified as Trickbot infrastructure around the world,” said Tom Burt, CVP of Customer Security and Trust at Microsoft.
Burt says Microsoft brought down 62 of the original 69 TrickBot C&C servers and 58 of the 59 servers TrickBot tried to bring online after last week’s takedown.
The seven servers that could not be brought down last week were described as Internet of Things (IoT) devices.
The reason these systems couldn’t be taken down right away was that they weren’t located inside web hosting companies and data centers, and the device owners couldn’t be reached via an “abuse email.”
Additional coordination was needed with local internet service providers, but Microsoft says “these [devices] are in the process of being disabled.”
Burt credited Microsoft’s swift response to the second wave of TrickBot server infrastructure to the company’s lawyers, who moved in quickly and requested new court orders to have these new servers taken down within days.
Down, but not out
Currently, the TrickBot botnet is still alive, but it has once again been brought down to its knees. Nonetheless, a few command and control servers are still alive, allowing the TrickBot operators to keep control of their horde of infected devices.
According to cyber-security firm Intel 471, these last few TrickBot C&C remnants are located in Brazil, Colombia, Indonesia, and Kyrgyzstan.
How much will TrickBot survive is unclear, but Burt said Microsoft plans to hunt down TrickBot infrastructure at least until the US Presidential Elections, to be held on November 3.
Burt said Microsoft is trying to prevent TrickBot from renting access to infected computers to ransomware gangs, something the TrickBot botnet is known to have done in the past.
Microsoft fears that a badly timed ransomware attack might end up causing downtimes to election systems — either by directly encrypting election-related infrastructure; or indirectly, by impacting election-related supply chains.
Such fears have been played down by most cyber-security experts, as ransomware gangs have a multitude of distribution methods at their disposal, and taking down TrickBot won’t necessarily mean that the election’s are safe from ransomware attacks — but nobody’s mad at Microsoft for crippling a botnet that has given many system administrators nightmares for the past two years.
Nonetheless, from afar, the takedown attempt doesn’t seem to have worried TrickBot operators too much, as they spent the last week trying to make new victims with the help of a partner malware botnet (Emotet).
Had a feeling this would happen. Emotet often drops TrickBot, and a few month ago TrickBot was dropping Emotet. As a result they are able to recover some old bots, as well as infect new systems via Emotet. https://t.co/ijB87gqKJ1
— MalwareTech (@MalwareTechBlog) October 14, 2020