Microsoft Takes Down Trickbot Hacking Operation

Microsoft has conducted another takedown operation against online cyber threats, this time targeting the infamous TrickBot malware.

TrickBot first emerged in 2016 as a banking trojan, but has since received a variety of new modules allowing it to carry out other types of attacks.

Its current capabilities include stealing information, keys and credentials and providing backdoor access for delivering other malware, including ransomware.

TrickBot takedown

Microsoft announced the takedown in a blog post and pointed out that TrickBot has been one of the world’s most persistent malware operations.

“Microsoft worked with telecommunications providers around the world to disrupt key Trickbot infrastructure,” Redmond wrote. “As a result, operators will no longer be able to use this infrastructure to distribute the Trickbot malware or activate deployed payloads like ransomware.”

And the criminals behind Trickbot have used real world events to spread malware and ransomware.

In May for example, Microsoft said it had detected TrickBot being spread via a phishing campaign using the coronavirus pandemic as its lure.

But fast forward five months and Microsoft obtained a US court order that allowed it (and telecom operators around the world) to take down a number of internet servers, as well as take over a range of IP numbers, to disrupt the operation.

Microsoft even suggested the TickBot operation could have indirectly affected election infrastructure if allowed to continue.

This is because of one TrickBot’s deliveries includes ransomware, which Microsoft and US officials have warned could pose a risk to websites that display election information or to third-party software vendors that provide services to election officials.

“As the United States government and independent experts have warned, ransomware is one of the largest threats to the upcoming elections,” Microsoft VP of security Tom Burt wrote in a blog post. “Adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust.”

“We disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world,” wrote Burt. “We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.”

Other attack vectors

But Sophos warned that while Trickbot has been a major threat, it has found many attackers have shifted to other means of spreading ransomware attacks.

“While Trickbot has been a major threat as part of ransomware attacks in the past, we’ve seen many attackers – including Ryuk, the attacker responsible for the most government-focused ransomware attacks last year – shift to other means of spreading their attacks,” explained Sean Gallagher, senior threat researcher at Sophos.

“Although we’ve seen Trickbot-connected malware as part of these attacks, we’re seeing greater reliance on other malware and tools to carry attacks out – including pirated versions of legitimate ‘offensive security’ tools such as Cobalt Strike,” Gallagher said.

“The linkage between Trickbot-based ransomware attacks and threats to election security is a tenuous one,” said Gallagher. “While any ransomware attack against election infrastructure would cause disruption, we haven’t seen ransomware gangs target election infrastructure, or even local governments, specifically for political effect in the past – they’ve been hit because of phishing attacks that were at most targeted at individuals based on public data, and were otherwise opportunistic. Ransomware poses a threat to *all* organisations, and ransomware operators are motivated by the money, not politics.”

“Moves against Trickbot infrastructure are to be commended, because of the size of the botnets controlled by the Trickbot actors,” Gallagher concluded. “But ransomware attackers’ tactics don’t stand still, and this will likely not have a sizeable impact on the attackers we’ve been tracking.”