Microsoft Takes Down Trickbot Hacking Operation

Microsoft has conducted another takedown operation against online cyber threats, this time targeting the infamous TrickBot malware.

TrickBot first emerged in 2016 as a banking trojan, but has since received a variety of new modules allowing it to carry out other types of attacks.

Its current capabilities include stealing information, keys and credentials and providing backdoor access for delivering other malware, including ransomware.

TrickBot takedown

Microsoft announced the takedown in a blog post and pointed out that TrickBot has been one of the world’s most persistent malware operations.

“Microsoft worked with telecommunications providers around the world to disrupt key Trickbot infrastructure,” Redmond wrote. “As a result, operators will no longer be able to use this infrastructure to distribute the Trickbot malware or activate deployed payloads like ransomware.”

And the criminals behind Trickbot have used real world events to spread malware and ransomware.

In May for example, Microsoft said it had detected TrickBot being spread via a phishing campaign using the coronavirus pandemic as its lure.

But fast forward five months and Microsoft obtained a US court order that allowed it (and telecom operators around the world) to take down a number of internet servers, as well as take over a range of IP numbers, to disrupt the operation.

Microsoft even suggested the TickBot operation could have indirectly affected election infrastructure if allowed to continue.

This is because of one TrickBot’s deliveries includes ransomware, which Microsoft and US officials have warned could pose a risk to websites that display election information or to third-party software vendors that provide services to election officials.

“As the United States government and independent experts have warned, ransomware is one of the largest threats to the upcoming elections,” Microsoft VP of security Tom Burt wrote in a blog post. “Adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust.”

“We disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world,” wrote Burt. “We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.”

Other attack vectors

But Sophos warned that while Trickbot has been a major threat, it has found many attackers have shifted to other means of spreading ransomware attacks.

“While Trickbot has been a major threat as part of ransomware attacks in the past, we’ve seen many attackers – including Ryuk, the attacker responsible for the most government-focused ransomware attacks last year – shift to other means of spreading their attacks,” explained Sean Gallagher, senior threat researcher at Sophos.

“Although we’ve seen Trickbot-connected malware as part of these attacks, we’re seeing greater reliance on other malware and tools to carry attacks out – including pirated versions of legitimate ‘offensive security’ tools such as Cobalt Strike,” Gallagher said.

“The linkage between Trickbot-based ransomware attacks and threats to election security is a tenuous one,” said Gallagher. “While any ransomware attack against election infrastructure would cause disruption, we haven’t seen ransomware gangs target election infrastructure, or even local governments, specifically for political effect in the past – they’ve been hit because of phishing attacks that were at most targeted at individuals based on public data, and were otherwise opportunistic. Ransomware poses a threat to *all* organisations, and ransomware operators are motivated by the money, not politics.”

“Moves against Trickbot infrastructure are to be commended, because of the size of the botnets controlled by the Trickbot actors,” Gallagher concluded. “But ransomware attackers’ tactics don’t stand still, and this will likely not have a sizeable impact on the attackers we’ve been tracking.”

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

TikTok Sued By US States For Allegedly Harming Children

Legal headache deepens for TikTok in US, after a number of states file lawsuits alleging…

22 mins ago

Canadian Crypto Expert Denies He Is Satoshi Nakamoto

After HBO documentary names Canadian crypto expert Peter Todd as Bitcoin inventor – but he…

1 hour ago

Google Confronts Break-Up Threat From US DoJ

US Department of Justice mulls asking judge to force Google to sell parts of its…

6 hours ago

US Supreme Court Rejects X’s Trump Appeal

US Supreme Court declines to hear appeal from X, formerly Twitter, over nondisclosure order attached…

1 day ago

US Judge Orders Google To Allow Android App Store Competition

US federal judge orders Google to undertake wide range of measures allowing third-party app stores…

1 day ago