TrickBot is back in action. This time the operators have returned with more power and enhanced tactics to disrupt their victims’ systems.
A quick recap
- Earlier this month, Microsoft, in collaboration with ESET, Lumen’s Black Lotus Labs, NTT Ltd., and others, disrupted the backend infrastructure of TrickBot trojan in an orchestrated operation.
- The operation was carried out just days after the U.S. military’s Cyber Command division carried out its own attack to take control over the attackers.
- The 10-day operation involved stuffed millions of bogus records about new victims into the TrickBot database in a bid to confuse the botnet’s operators.
- However, Microsoft analyzed 61,000 samples of TrickBot malware and identified the IP addresses for the command and control servers to disrupt the trojan.
- Nonetheless, the TrickBot gang managed to rebound after takedown efforts.
TrickBot fights back despite the takedown
- Despite a massive takedown effort, TrickBot bounced back to its usual rapid space.
- In mid-October, Intel 471 researchers saw an update to the TrickBot plugin server configuration file. The update was observed in an Emotet campaign that leveraged spam templates for mass distribution.
- However, researchers claimed that it was short-lived as the trojan could not make a connection with new control servers. Meanwhile, there were a few based in Brazil, Colombia, Indonesia, and Kyrgyzstan that responded to TrickBot bot requests.
Also, TrickBot adds a new variant
- Following the takedown effort, TrickBot’s author moved a portion of the code to Linux to create a new variant of the trojan dubbed ‘Anchor_DNS’.
- The attempt was made to widen the scope of targets according to NetScout.
- As part of the new Anchor toolset, TrickBot developers created Anchor_DNS, a tool for sending and receiving data from victim machines using DNS tunneling, CISA added.
The last straw
- With the healthcare sector already under tremendous pressure from the pandemic, the FBI, along with other federal authorities, had lately issued a warning over TrickBot targeting the sector.
- It is accompanied by another malware named BazarLoader, created by the TrickBot developers.
- According to the advisory, “TrickBot provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk and Conti.”
The tricky TrickBot is back with a vengeance. The reboot in a short span of time, after a significant downfall, indicates that the info-stealing malware might again become a potential headache for organizations in the coming days. While it is yet to come into full action mode, the operators have already created a storm with TrickBot’s sibling, BazarLoader.