More than a year after technology companies, financial firms, and law enforcement attempted to take down the Trickbot botnet, the group behind the malware seems to be retiring the cybercriminal platform in favor of other, more modern, attack tools, according to new analysis.
According to a new report published this week by threat intelligence firm Intel 471, following the late-2020 disruption, Trickbot campaigns occasionally cropped up throughout 2021. However, infections withered in the last quarter of the year, with Trickbot-controlled machines instead installing other programs, such as Emotet and Conti. In December, for example, the Trickbot group issued three updates to the malware, down from eight updates in the previous month. After Dec. 28, Intel 471 has not documented any further updates to the malware.
The shift indicates that Trickbot's operators are changing their strategy and are working more closely with the operators of the Emotet botnet, says Greg Otto, a researcher at Intel 471.
"Given that open source reporting has estimated that Trickbot 'employs' as many as 400 people, the group probably isn’t ceasing operations," Otto says. "It’s more likely the group will refine its malware and resurface, possibly under a different moniker."
Intel 471 is not the only company to notice that the Trickbot and Emotet groups are working more closely together. In November 2021, security firm Check Point Software Technologies noticed that more than 140,000 Trickbot-infected machines had started spreading Emotet malware to other systems, causing a surge in Emotet infections following a multinational takedown by law enforcement agencies in January 2021.
The Emotet takedown followed efforts by the US Cyber Command, Microsoft, and the Financial Services Information Sharing and Analysis Center (FS-ISAC) to disrupt Trickbot in October 2020. Yet law enforcement efforts have continued: In September, officials arrested a Russian national in Korea on suspicions of being one of the developers aiding the Trickbot group. And more details about the loose organization of cybercriminals behind Trickbot came to light last June, when the US Department of Justice filed charges against a Latvian national involved with the group. The indictment described how the lack of prosecution in 2015 of the members of a former operation, known as the Dyre botnet, allowed the group to reform and create the foundations of the Trickbot group.
Now, it looks as if the group is changing its stripes again, according to Intel 471's analysis.
"Intel 471 cannot confirm, but it’s likely that the Trickbot operators have phased Trickbot malware out of their operations in favor of other platforms, such as Emotet," the company stated in its advisory. "Trickbot, after all, is relatively old malware that hasn’t been updated in a major way. Detection rates are high and the network traffic from bot communication is easily recognized."
While Trickbot has apparently stopped its campaign to infect new systems, computers that are currently compromised are still communicating with one another and uploading new malicious functionality and programs — from code that can be injected into websites to other malware programs, such as Emotet and Qbot, according to the Intel 471 report.
"While the campaigns themselves have been quiet, command-and-control infrastructure tied to Trickbot continues to operate normally, serving additional plugins, web injects and additional configurations to bots in the botnet," according to the report. "This activity shows that while there haven’t been any new campaigns, there is evidence of some effort to maintain Trickbot’s command-and-control infrastructure, even if that effort is essentially an automated one."
The group also has used the Bazar backdoor malware to gain stealthy access to high-value targets, Intel 471 stated.
The change in the Trickbot group's focus shows the adaptability of cybercriminal groups but also demonstrates that defenders' activity can have an impact.
"Law enforcement actions often impose costs on cybercriminals, but they will look to lay low, reformulate their schemes, and return once they feel they have a new way to launch attacks," Otto says.
Companies should be aware of updates to the groups behind major malware campaigns and their tactics to be better prepared, he adds. The group behind Trickbot evolved from the Dyre group in 2015 and seems likely to continue that evolution. As the indicators of compromise change, defenders need to recognize that, Otto says.
"Finding evidence of Trickbot," he says, "is often the first sign that attackers are targeting your organization and possibly setting the stage for further attacks."