In the run-up to the 2020 US election, Microsoft launched an offensive against a prolific botnet called Trickbot. Did they manage to kill the threat? We explain how it turned out.
Bots and botnets
A bot is a computer that has been compromised and infected with malware. The malware takes an action in favor of the threat actor. A botnet is a network of bots that work together. The more bots there are in the botnet, the more computing power it has. It is a powerful distributed computing platform that works on behalf of the threat actors.
Botnets can be used for tasks such as mining cryptocurrencies, conducting distributed denial of service attacks, acting as spam farms, collecting user credentials on a large scale, or covertly collecting information about individuals, networks and organizations.
The army of bots that make up the bot network is controlled from a command and control server often referred to as a C2 server. The C2 server accepts information from the bots and responds by sending them commands to follow. The C2 server may also distribute new malicious payloads or plug-ins that provide new functionality for the malware.
Trickbot could well lay claim to the title of the world̵
Since 2016, it has infected more than a million computer equipment, turning it into a massive botnet and a powerful commodity for cyber criminals. It is a major threat to businesses because it has been used as a distribution platform for ransomware such as Ryuk and other large-scale ransomware operations.
Infections usually arise from an employee falling for a fraudulent email sent to them as part of a phishing email campaign. The email contains a malicious attachment. When the user tries to open the attachment – often disguised as a PDF or Word file – Trickbot is downloaded and installed.
In fact, Trickbot is such a large network of compromised machines that a single C2 server is not enough. Due to the number of bots and the amount of traffic, and in part because they wanted to build some redundancy into their infrastructure, the Trickbot group used as many as 69 C2 servers around the world.
So what would happen if the Trickbot threat actors lost access to all of their C2 servers?
Microsoft’s offensive against Trickbot
In October 2020, Microsoft and selected partners and hosting companies began working together to identify and eliminate Trickbot’s C2 servers.
Microsoft’s initial analysis identified 69 core C2 servers that were critical to Trickbot’s operations. They immediately took out 62 of them. The other seven weren’t special Trickbot servers, they were infected Internet of Things (IoT) devices belonging to innocent victims.
The IoT devices were hijacked by Trickbot. Keeping those devices from acting like C2 servers required a little more finesse than used to keep the other C2 servers from having a hosting base. They needed to be disinfected and used normally instead of just shivering.
As you’d expect, the Trickbot gang rushed to get replacement servers launched and up and running. They have created 59 new servers. These were quickly attacked by Microsoft and its allies and all but one were – as of October 18, 2020 – disabled. Including the original 69 servers, 120 of the 128 Trickbot servers are down.
How they did it
In October 2020, Microsoft obtained a US court order allowing it and its partners to disable IP addresses used by the TrickBot C2 servers. They made both the servers themselves and their content inaccessible to the Trickbot operators. Microsoft worked with telecommunications providers and industry partners worldwide, including the Financial Services Information Sharing and Analysis Center (FS-ISAC), ESET, Lumen, NTT and Symantec.
Microsoft’s Tom Burt (Corporate Vice President, Customer Security & Trust) says Microsft can identify a new Trickbot server, find out who the hosting provider is, rectify the legal requirements for them to shut down the server, and then actually get the server turn off in less than three hours. For cases in areas where they have already shut down a C2 server, some of this can be sped up because the legality is already in place or the process is now properly understood. Their record for shutting down a new C2 server is less than six minutes.
The Microsoft team continues to work with Internet Service Providers (ISPs) and National Computer Emergency Response Teams (CERTs) to help organizations clean up infected computers.
So is Trickbot Dead?
It’s too early to call. The infrastructure behind the malware is certainly in a bad shape. But Trickbot has reinvented itself several times in the past. Maybe it already has. Security researchers have discovered a new type of malware backdoor and downloader that has code-level similarities with the Trickbot malware. The attribution for the new malware – called Bazar or BazarLoader – leads straight to the door of the Trickbot gang. It seems likely they were already working on a next-generation attack tool before Microsoft’s offensive started.
BazarLoader uses email phishing campaigns to initiate infections, but unlike the Trickbot phishing emails, they do not contain an attachment. Instead, they have links claiming to download or open documents in Google Docs. The links naturally lead the victim to fraudulent, lookalike websites. The content of the phishing emails is bogus information related to topics as varied as employee payrolls and COVID-19.
Designed to be even more covert than Trickbot, Bazar uses blockchain encryption to mask C2 server domain URLs and Domain Name System (DNS) domains. This new variant has already spread Ryuk ransomware, which has historically been a known Trickbot customer. Maybe the Trickbot group has already transitioned one or more of their customers to their new product?
Things are going to get Bazar
As Trickbot has evolved from its Trojan origins into an extensible cybercrime platform available for rent, new functionality can be added to Trickbot relatively easily. The threat actors write a new plugin and download it from the C2 servers to the botnet machines. A new plug-in was detected in December 2020. At least there is some life in the old malware if it is still getting new functionality.
The new plug-in allows Trickbot to perform a Unified Extensible Firmware Interface (UEFI) bootkit attack. The UEFI attack makes Trickbot much more difficult to remove from infected machines, even if it survives complete hard drive swaps. It also allows the threat actors to block a computer by encrypting the firmware.
So Trickbot may be fading, but the group behind Trickbot is ready to deploy its new malware platform Bazar. Microsoft and their allies have certainly hurt Trickbot. Now that Trickbot has become nearly useless, the Trickbot group’s customers will put pressure on them to provide illegal services they paid for.
And when your customers include such greats as North Korea’s state-sponsored Advanced Persistent Threat Group (APT) Lazarus, you need good answers to some tough questions about your service level agreement and customer service. This may be the reason that the Trickbot group is temporarily outsourcing some of their services to another cybercriminal group, to try and maintain some sort of operational capability.
Do not join the Botnet army
No matter how advanced Trickbot and Bazar are, they are only effective if they can infect computers to bolster the ranks of their botnet army. The key to avoiding conscription is to be able to spot the phishing emails and delete them instead of falling for them.
Awareness training for cyber security of staff is central here. They receive emails every day. They have to think defensively all the time. These points help identify phishing emails.
- Be on the lookout for things that are not normal. Have you ever received an email from payroll with links to Google Docs before? Probably not. That should immediately raise your suspicions.
- Was the email sent to you or are you one of many recipients? Does it make sense that this type of email should go to a wider audience?
- The text in a hyperlink can be said of anything. That is no guarantee that the link will actually take you there. Hover your mouse pointer over all links in the body of the email. In an email application, a tooltip will appear with the actual link destination in it. If you are using a webmail client, the decrypted link destination will be displayed somewhere, usually in the lower left corner of the browser window. If the link destination looks suspicious, don’t click on it.
- Is the grammar in the email correct? Is the email getting the right tone and are you using the phrase you would expect in that type of communication? Spelling mistakes and bad grammar should be taken as warning signs.
- Do logos, footers and other corporate color elements look real? Or do they look like low-quality copies obtained from elsewhere?
- No bona fide organization will one day ask for passwords, account details and other sensitive information.
As always, prevention is better than cure.