The TrickBot seems to have resumed normal operation a few days after Microsoft announced that it could be removed legally.
On the 12th. On October 10, Microsoft and several partners announced that they could disrupt TrickBot’s infrastructure by legally blocking IP addresses, rendering servers unavailable and interrupting services used by the botnet. Efforts have also been made to prevent operators from registering the new infrastructure.
However, just three days after the announcement, security researchers at Intel 471 discovered that the botnet was back online despite a hacking attempt by Microsoft and the efforts of the U.S. Cybercommand to hack TrickBot’s servers.
The 14th. In October, the Emotet botnet started distributing malicious Word documents to download and execute a copy of Emotet. According to the researchers, the emotion sets were instructed to search the victims’ cars and drive over them with the robot shredder.
Intel 471 also notes that the Trickbot plugin server configuration file received an update that added fifteen server addresses and saved two old servers with the .onion server address.
According to the researchers, the change should have been implemented as a solution so that the botnet infrastructure is operational.
The fact that the trick has resumed normal operation despite all the efforts of the U.S. Cyber Command and Microsoft shows how resilient the trick is and how much more effort is needed to completely disable the botnet forever, Intel 471 said.
Researchers who observed the botnet for several months concluded that TrickBot operators have the IT support that every legitimate business needs, including automated provisioning, backup, continuity planning, and a dedicated team that enables them to respond quickly to incidents.
A decade ago, it was much easier to completely conquer or significantly destroy a botnet, but cybercriminals are students who study corruption and have learned how to make their operations more resistant to bribery. Therefore, any attempt at conquest has a certain potential to give in to the enemy. They teach them where the weaknesses in their armour are and they have a development team ready to respond to this information. So if you don’t hit them deadly, you won’t hit them in time, said Jason Passwaters, head of the 471 team at Intel.
According to the researchers, multiple efforts are required to completely destroy the TrickBot. Multinational support to law enforcement aimed at arresting operators, completion of the basic botnet infrastructure and close cooperation between governments and the private sector on disinfection are essential for successful arrests.
That’s what it looks like: Technology companies use TrickBot’s infrastructure
That’s what it looks like: Learn more about the links discovered between North Korean and Russian hacking operations
That’s what it looks like: The RDP-based telecommunications sectors in the United States and Hong Kong.
Ionat Argir is the international correspondent for Security Week.
Previous chronicles of Ionat Argir: