TrickBot Rises From the Ashes

TrickBot is back in action. This time the operators have returned with more power and enhanced tactics to disrupt their victims’ systems.

A quick recap

  • Earlier this month, Microsoft, in collaboration with ESET, Lumen’s Black Lotus Labs, NTT Ltd., and others, disrupted the backend infrastructure of TrickBot trojan in an orchestrated operation.
  • The operation was carried out just days after the U.S. military’s Cyber Command division carried out its own attack to take control over the attackers.
  • The 10-day operation involved stuffed millions of bogus records about new victims into the TrickBot database in a bid to confuse the botnet’s operators.
  • However, Microsoft analyzed 61,000 samples of TrickBot malware and identified the IP addresses for the command and control servers to disrupt the trojan.
  • Nonetheless, the TrickBot gang managed to rebound after takedown efforts.

TrickBot fights back despite the takedown

  • Despite a massive takedown effort, TrickBot bounced back to its usual rapid space.
  • In mid-October, Intel 471 researchers saw an update to the TrickBot plugin server configuration file. The update was observed in an Emotet campaign that leveraged spam templates for mass distribution.
  • However, researchers claimed that it was short-lived as the trojan could not make a connection with new control servers. Meanwhile, there were a few based in Brazil, Colombia, Indonesia, and Kyrgyzstan that responded to TrickBot bot requests.

Also, TrickBot adds a new variant

  • Following the takedown effort, TrickBot’s author moved a portion of the code to Linux to create a new variant of the trojan dubbed ‘Anchor_DNS’.
  • The attempt was made to widen the scope of targets according to NetScout.
  • As part of the new Anchor toolset, TrickBot developers created Anchor_DNS, a tool for sending and receiving data from victim machines using DNS tunneling, CISA added.

The last straw

  • With the healthcare sector already under tremendous pressure from the pandemic, the FBI, along with other federal authorities, had lately issued a warning over TrickBot targeting the sector.
  • It is accompanied by another malware named BazarLoader, created by the TrickBot developers.
  • According to the advisory, “TrickBot provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk and Conti.”

Bottom line

The tricky TrickBot is back with a vengeance. The reboot in a short span of time, after a significant downfall, indicates that the info-stealing malware might again become a potential headache for organizations in the coming days. While it is yet to come into full action mode, the operators have already created a storm with TrickBot’s sibling, BazarLoader.