TrickBot is back in action. This time the operators have returned with more power and enhanced tactics to disrupt their victims’ systems.
A quick recap
Earlier this month, Microsoft, in collaboration with ESET, Lumen’s Black Lotus Labs, NTT Ltd., and others, disrupted the backend infrastructure of TrickBot trojan in an orchestrated operation.
The operation was carried out just days after the U.S. military’s Cyber Command division carried out its own attack to take control over the attackers.
The 10-day operation involved stuffed millions of bogus records about new victims into the TrickBot database in a bid to confuse the botnet’s operators.
However, Microsoft analyzed 61,000 samples of TrickBot malware and identified the IP addresses for the command and control servers to disrupt the trojan.
Nonetheless, the TrickBot gang managed to rebound after takedown efforts.
TrickBot fights back despite the takedown
Despite a massive takedown effort, TrickBot bounced back to its usual rapid space.
In mid-October, Intel 471 researchers saw an update to the TrickBot plugin server configuration file. The update was observed in an Emotet campaign that leveraged spam templates for mass distribution.
However, researchers claimed that it was short-lived as the trojan could not make a connection with new control servers. Meanwhile, there were a few based in Brazil, Colombia, Indonesia, and Kyrgyzstan that responded to TrickBot bot requests.
Also, TrickBot adds a new variant
Following the takedown effort, TrickBot’s author moved a portion of the code to Linux to create a new variant of the trojan dubbed ‘Anchor_DNS’.
The attempt was made to widen the scope of targets according to NetScout.
As part of the new Anchor toolset, TrickBot developers created Anchor_DNS, a tool for sending and receiving data from victim machines using DNS tunneling, CISA added.
The last straw
With the healthcare sector already under tremendous pressure from the pandemic, the FBI, along with other federal authorities, had lately issued a warning over TrickBot targeting the sector.
It is accompanied by another malware named BazarLoader, created by the TrickBot developers.
According to the advisory, “TrickBot provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk and Conti.”
Bottom line
The tricky TrickBot is back with a vengeance. The reboot in a short span of time, after a significant downfall, indicates that the info-stealing malware might again become a potential headache for organizations in the coming days. While it is yet to come into full action mode, the operators have already created a storm with TrickBot’s sibling, BazarLoader.