Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

03:20 PM

Security Firms & Financial Group Team Up to Take Down Trickbot

Microsoft and security firms ESET, Black Lotus Labs, and Symantec collaborated with the financial services industry to cut off the ransomware operation's C2 infrastructure.

Technology and security companies teamed up with the financial services and telecommunications industries to disrupt the command-and-control (C2) infrastructure used to manage the well-known Trickbot ransomware to infect more than a million computing devices, the firms behind the takedown said on Monday. 

Microsoft worked with security researchers from ESET, Lumen's Black Lotus Labs, and Broadcom's Symantec to identity key components of Trickbot's C2 and sever the ransomware's ability to connect to infected systems. The companies worked with the Financial Services Information Sharing and Analysis Committee (FS-ISAC) to obtain a court order that allowed telecommunications firms to shut down the servers on which the operation relied.

Related Content:

Trickbot Operators Now Selling Attack Tools to APT Actors

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Emotet 101: How the Ransomware Works -- and Why It's So Darn Effective

The group believes its efforts will hobble the botnet's operations and make efforts to reinfect systems much more difficult, says Jean-Ian Boutin, head of threat research at security firm ESET.

"By trying to disrupt the normal operations of the Trickbot botnet, we hope that it will result in a decrease in the offering of potential ransomware victims," he says. "As Trickbot was a platform for cybercriminals to pick their next ransomware target, by making it unavailable we hope to see a decrease in these devastating attacks."

Trickbot is a modular infection platform that has been distributed through phishing, and by using other infectors, such as Emotet, to install Trickbot. ESET, for example, collected 28 different plug-in modules for the platform that, among other things, collect credentials, modify network traffic, and spread to other systems. 

Once on a system, Trickbot has often been used as a banking Trojan, stealing victims' credentials and using them to gain access to banks. The software also often uses web injects, a technique that allows the attacker to control what a victim sees while on a particular site. An infected system, for example, may not display the victim's true banking balance but instead display the balance the attacker wants them to see.

In March, Trickbot's operators switched their focus from attacks on financial institutions to ransomware. The Ryuk ransomware — which infected a number of cities, healthcare facilities, and schools — is often installed by Trickbot.

"The criminal gang behind Trickbot has regularly updated its malicious software, adding modules with new functionality to increase its effectiveness and potential to cause harm," researchers from Black Lotus Labs, a part of enterprise technology company Lumen, said in their analysis. "They have incorporated tools such as Mimikatz and Cobalt Strike — often used by penetration testers and criminal attackers — to map victim networks, steal operating system credentials, and spread inside organizations."

Microsoft and the FS-ISAC were defendants in the civil case against the Trickbot operators. The software giant had concerns that the platform could be used to attack election sites and machinery ahead of the US presidential election. 

"As the United States government and independent experts have warned, ransomware is one of the largest threats to the upcoming elections," Tom Burt, corporate vice president of customer security and trust for Microsoft, said in a blog post. "Adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust." 

Microsoft analyzed 61,000 samples of the Trickbot malware. Other companies lent their analyses to the effort as well. The ransomware platform has widely used COVID-themed phishing attacks to convince users to click on malicious links or open malware, Microsoft said.

Monday's action followed Microsoft and the FS-ISAC suing the Trickbot operators in the United States District Court for the Eastern District of Virginia, which granted their request for a court order to take down the servers at specific IP addresses identified by the companies' investigation. 

"This action also represents a new legal approach that our [Digital Crimes Unit] is using for the first time," Microsoft stated in its blog post. "Our case includes copyright claims against Trickbot's malicious use of our software code. This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place."

Civil lawsuits have become the focus on Microsoft's efforts to stop massive cybercriminal operations. While the participants in the latest takedown hope to see the criminals behind the malicious program prosecuted, often the perpetrators do not face justice.  

For companies, the best steps to take are defensive, says ESET's Boutin, who published his own analysis on the attack.

"The best way to protect your organization is to not get compromised in the first place," he says. "A typical infection vector for malware families like Trickbot, that are known to drop ransomware, is malicious emails. On top of endpoint security, hardening security of email systems so that they can detect malicious emails before they arrive in the target's inbox is a good investment." 

Microsoft fully expects the Trickbot operators to make a comeback, albeit slowly.

"We fully anticipate Trickbot's operators will make efforts to revive their operations, and we will work with our partners to monitor their activities and take additional legal and technical steps to stop them," Microsoft stated.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
PUBLISHED: 2021-05-13
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
PUBLISHED: 2021-05-13
Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...
PUBLISHED: 2021-05-13
The HTMLSanitizer class in html-sanitizer.ts in all released versions of the Aurelia framework 1.x repository is vulnerable to XSS. The sanitizer only attempts to filter SCRIPT elements, which makes it feasible for remote attackers to conduct XSS attacks via (for example) JavaScript code in an attri...
PUBLISHED: 2021-05-13
An information disclosure vulnerability in ILIAS before 5.3.19, 5.4.12 and 6.0 allows remote authenticated attackers to get the upload data path via a workspace upload.