The backend infrastructure of the TrickBot botnet has been taken down by a coalition of tech companies and government agencies, including Microsoft ESET, NTT, Black Lotus Labs, Symantec, and FS-ISAC.
The takedown is the result of several months of painstaking work involving the analysis of more than 125,000 samples of the TrickBot Trojan by the coalition members, who studied the content and extracted and mapped information about how the malware operated, communicated with victim devices, and was updated with additional modules. By studying how the malware communicated with other infected devices and the mechanisms used to evade detection, Microsoft was able to identify the IP addresses of the servers used to support the botnet.
ESET reports that its automated platform analyzed 125,000 malware variants and decrypted around 40,000 configuration files to identify the command and control servers used by the botnet.
After the infrastructure was identified, Microsoft obtained a court order from the U.S. District Court for the Eastern District of Virginia allowing it to take control of the servers used by the malware operators and deactivated IPs and blocked communication between the victim devices and the command and control servers.
The operators of the TrickBot Trojan are well financed and will attempt to rebuild and recover quickly. The coalition partners and others will continue to monitor the activities of the threat group and will try to block their attempts to register new domains and rebuild their infrastructure.
TrickBot first appeared in 2016 and has grown into one of the biggest malware threats in recent years. At the time of the takedown there are known to be more than 1 million devices worldwide infected with the TrickBot Trojan.
TrickBot is a banking Trojan that is most commonly delivered by phishing emails. The malware is also delivered as a secondary payload by the Emotet Trojan, which itself is distributed by phishing emails. TrickBot also acts as a malware downloader which is often used to deliver ransomware payloads such as Ryuk and Conti, as well as information stealers. Infections are not limited to Windows computers. Many ioT devices have also been in infected with the Trojan.
With more than 1 million infections, the TrickBot botnet was one of the largest in use. The takedown will help to prevent the spread of ransomware and will also help to protect the upcoming Presidential election.
Now that devices infected with the TrickBot have been identified, Internet Service Providers (ISPs) and CERT teams around the world can start notifying the victims and assist them with removing the malware.