alswart - stock.adobe.com
Microsoft said it has eliminated 94% of Trickbot's operational infrastructure in an ongoing battle to disrupt the notorious botnet, according to a blog post on Tuesday.
While threat researchers reported a return of Trickbot activity following Microsoft's legal takedown last week, Tom Burt, Microsoft's corporate vice president of customer security and trust, published an update stating success in disrupting the malicious botnet. By taking Trickbot (a malware-as-a-service tool used to deploy ransomware) offline, Microsoft looked to make it difficult for its operators to enable ransomware attacks, which are a persistent threat. According to the blog post, while new servers continue to pop up, the software giant's efforts have blocked a spike in activity and have made it increasingly difficult for Trickbot to return to normal operations.
"As of Oct. 18, we've worked with partners around the world to eliminate 94% of Trickbot's critical operational infrastructure including both the command-and-control servers in use at the time our action began and new infrastructure Trickbot has attempted to bring online," Burt wrote in the blog post.
In addition to the percentage, Burt highlighted the speed at which Microsoft is taking down servers.
"We have identified new Trickbot servers, located their respective hosting provider, determined the proper legal methodology to take action, and completely disabled those servers in less than three hours. Our global coordination has allowed a provider to take quick action as soon as we notify them -- in one case, in less than six minutes," Burt wrote in the blog post.
According to Burt, Microsoft initially identified 69 servers around the world that were core to Trickbot's operations, and they disabled 62 of them.
"The seven remaining servers are not traditional command and control servers but rather internet of things (IoT) devices Trickbot infected and was using as part of its server infrastructure; these are in the process of being disabled," Burt wrote in the blog post. "In sum, from the time we began our operation until October 18, we have taken down 120 of the 128 servers we identified as Trickbot infrastructure around the world."
Threat intelligence vendor Intel 471 has tracked Trickbot's activity amid two takedown efforts: Microsoft's legal takedown, which used copyright claims against Trickbot operators, and a technical takedown, which uploaded altered configuration files to Trickbot infected machines to disrupt communications with command servers. The technical takedown has been attributed to U.S. Cyber Command, though the U.S. government hasn't officially commented.
While Intel 471 has observed new Trickbot activity after the takedowns, the company released a new report Tuesday, titled "Global Trickbot disruption operation shows promise," which found the most recent Trickbot sample could not connect to any of its intended command and control servers.
"Intel 471 believes disruption operations against Trickbot are currently global in nature and have had success against Trickbot infrastructure," the blog post said. "Regardless, there still is a small number of working controllers based in Brazil, Colombia, Indonesia and Kyrgyzstan that still are able to respond to Trickbot bot requests."
In a follow-up statement to SearchSecurity, Intel 471 CEO Mark Arena said, "The issue for the Trickbot operators isn't so much with the configuration files themselves, but the access Cyber Command has to do other things that could impact their operations. Altering the configuration files is just one option of likely many options they could do that could impact the operations of Trickbot."
In the blog post Tuesday, Burt made it clear that the results from the takedown effort will change regularly.
"This is challenging work, and there is not always a straight line to success," Burt wrote in the blog post.
Microsoft declined to comment.
UPDATE 11/10: In a new report Tuesday, Intel 471 determined there has been no new Trickbot infection campaigns as of Friday. However, that does not mean the operators behind the botnet have ceased activity; Intel 471 analysts believe the threat actors merely replaced it with another ransomware dropper: BazarLoader. According to the report, security researchers along with the U.S. Cybersecurity and Infrastructure Security Agency have observed a recent resurgence of incidents involving Ryuk ransomware, which is often connected to Trickbot. Both Trickbot and BazarLoader are used in the initial stages of a ransomware attacks, typically to deploy Ryuk.
"BazarLoader is linked to the Trickbot operators in many ways, including shared infrastructure and code similarities. This indicates the actors linked to Trickbot continue to launch targeted ransomware attacks successfully despite the disruption of the Trickbot infrastructure," Intel471 wrote in the blog post. "It was unclear whether the Trickbot operators will return to using Trickbot or will completely move to BazarLoader as a replacement."
In an update to the report, Intel471 said it observed on Monday a new version of Trickbot that was distributed through a spam campaign. The company said it is unable to assess the long-term impact of the disruption on Trickbot.