TrickBot Rises From the Ashes

A quick recap

• Earlier this month, Microsoft, in collaboration with ESET, Lumen’s Black Lotus Labs, NTT Ltd., and others, disrupted the backend infrastructure of TrickBot trojan in an orchestrated operation.
• The operation was carried out just days after the U.S. military’s Cyber Command division carried out its own attack to take control over the attackers.
• The 10-day operation involved stuffed millions of bogus records about new victims into the TrickBot database in a bid to confuse the botnet’s operators.
• However, Microsoft analyzed 61,000 samples of TrickBot malware and identified the IP addresses for the command and control servers to disrupt the trojan.
• Nonetheless, the TrickBot gang managed to rebound after takedown efforts.

TrickBot fights back despite the takedown

• Despite a massive takedown effort, TrickBot bounced back to its usual rapid space.
• In mid-October, Intel 471 researchers saw an update to the TrickBot plugin server configuration file. The update was observed in an Emotet campaign that leveraged spam templates for mass distribution.
• However, researchers claimed that it was short-lived as the trojan could not make a connection with new control servers. Meanwhile, there were a few based in Brazil, Colombia, Indonesia, and Kyrgyzstan that responded to TrickBot bot requests.

Also, TrickBot adds a new variant

• Following the takedown effort, TrickBot’s author moved a portion of the code to Linux to create a new variant of the trojan dubbed ‘Anchor_DNS’.
• The attempt was made to widen the scope of targets according to NetScout.
• As part of the new Anchor toolset, TrickBot developers created Anchor_DNS, a tool for sending and receiving data from victim machines using DNS tunneling, CISA added.

The last straw

• With the healthcare sector already under tremendous pressure from the pandemic, the FBI, along with other federal authorities, had lately issued a warning over TrickBot targeting the sector.
• It is accompanied by another malware named BazarLoader, created by the TrickBot developers.
• According to the advisory, “TrickBot provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk and Conti.”

Bottom line