Trickbot Network of Over A Million Hijacked Computing Devices Taken Offline

Server cluster in a server room

An international group of tech and other cross-industry companies has disrupted a large network of over a million hijacked computers. The devices had been taken over by cybercriminals and merged into a so-called botnet, forming a network of enslaved devices that can be controlled remotely. Microsoft, ESET and others, discovered various command-and-control servers that controlled these bots. They were granted court permission to disable them.

The Notorious Trickbot Botnet

The botnet that has come under attack is the so-called Trickbot botnet (aka The Trick or TrickLoader). This notorious type of malware started out in 2016 as a banking trojan. Initially, cybercriminals used the malware to capture banking credentials, such as credit card information and online banking logins. The dangerous malware has since evolved.

In the past six months, the amount of Trickbot malware has tripled, according to the German software company G Data. Every couple of minutes, cybercriminals publish a new “sample”. The multifunctional bot is thus loaded with new capabilities, functions and distribution vectors. This has turned the Trickbot into a dangerous and adaptable form of malware. It now can, for example, steal data and passwords, carry out ransomware attacks, spam and spear phishing campaigns, and target election infrastructure.

Companies and large organizations are the most likely targets of Trickbot malware. This is because ransomware attacks in particular can be very rewarding. The Trickbot infrastructure is, for example, a known vehicle to drop Ryuk ransomware on company networks. However, more and more consumers also fall victim to Trickbot’s operators. And just like the new HEH botnet, Trickbot has also already infected a number of IoT devices, thus extending the botnet’s reach into people’s households.

This Time the Attackers are Under Attack

Through a coordinated attempt to stop Trickbot, security researchers of different companies spent many months researching malware samples to discover which servers the botnet was using. According to ESET, the malware’s main module contained an encrypted, hard-coded configuration file. This file catalogued an extensive list of command-and-control (C2) servers that the malware used. Following this discovery, security researchers were able to map Trickbot’s network infrastructure and identify the C2 servers’ precise IP addresses.

In addition to Microsoft and ESET, Lumen’s Black Lotus Labs, Symantec, NTT, and cross-industry service providers from all over the world were also part of this operation. The botnet was stopped in several ways. Earlier in October, Microsoft was granted permission from the courts to take over several servers. “… the court granted us approval to disable IP addresses, make the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers.”

The US military also appears to have played a role in bringing down the botnet. This weekend it became known that the US military’s Cyber Command allegedly carried out attacks on Trickbot. It is not clear whether that operation was in collaboration with the Microsoft led coalition of tech and other companies. The information was received from anonymous sources within the military. The actions of the US Cyber Command “meant to help protect the elections against foreign threats”, officials said. They are part of a whole-of-government approach to secure the US elections.

For the first time, Microsoft invoked copyright in their request to the court. The tech giant successfully argued that the Trickbot operators have infringed the company’s copyright by maliciously using their software code. The cybercriminals use Word documents and Excel files, for example, with malicious macros in them. These documents are then emailed from hijacked inboxes to new potential victims.

“This approach is an important development in our efforts to stop the spread of malware”, Corporate Vice President Tom Burt said. It allows Microsoft to take additional legal action in countries where there is copyright law. Although some of Trickbot’s infrastructure is now shutdown, security researchers know that it is just a matter of time before the operators restore and try to further expand their botnet. “We will work with our partners to monitor their activities and take additional legal and technical steps to stop them”, Tom Burt added.

The actions of Microsoft, ESET and the other companies, combined with the US military’s efforts to take down Trickbot, have severely undermined cybercriminal activities that could disrupt the US presidential elections. In addition to protecting election infrastructure, the takedown of Trickbot infrastructure will protect a wide range of organizations, including financial services institutions, government agencies, healthcare facilities, businesses and universities from the various malware infections Trickbot enables.

IT communication specialist
Sandra has many years of experience in the IT and tech sector as a communication specialist. She's also been co-director of a company specializing in IT, editorial services and communications project management. For she follows relevant cybercrime and online privacy developments.