Quick Links

In the run-up to the 2020 US election, Microsoft launched an offensive against a prolific botnet called Trickbot. Did they manage to kill the threat? We explain how it panned out.

Bots and Botnets

bot is a computer that has been compromised and infected with malware. The malware performs some action to the benefit of the threat actor. A botnet is a network of bots that work in unison. The more bots there are in the botnet the more computational power it has. It forms a powerful distributed platform computing working on behalf of the threat actors.

Botnets can be used for tasks such as mining cryptocurrencies, performing distributed denial of service attacks, acting as spam farms, to harvest user credentials on a large scale, or to covertly gather information on individuals, networks, and organizations.

The army of bots making up the bot network is controlled from a command and control server often referred to as a C2 server. The C2 server accepts information from the bots and responds by sending them commands to follow. The C2 server can also distribute new malicious payloads or plug-ins that provide new functionality for the malware.

Trickbot

Trickbot could make a good claim for the title of the world's most infamous botnet. It started out life as a banking Trojan in 2016, stealing login credentials to banking and other payment platform accounts. Since then it has received continuous development and has evolved into a sophisticated malware delivery tool that is hired out to other cybercriminals and threat actor groups.

It has infected over one million computing devices since 2016 making it a massive botnet and a powerful commodity for cybercriminals. It presents a major threat to businesses because it has been used as a distribution platform for ransomware such as Ryuk and other big-name, large-scale ransomware operations.

Infections usually stem from an employee falling for a fraudulent email sent to them as part of an email phishing campaign. The email carries a malicious attachment. When the user tries to open the attachment---often masquerading as a PDF or Word file---it downloads and installs Trickbot.

In fact, Trickbot is such a large network of compromised machines that a single C2 server is insufficient. Because of the number of bots and the amount of traffic, and partly because they wanted to build some redundancy into their infrastructure, the Trickbot group was using a staggering 69 C2 servers around the globe.

So what would happen if the Trickbot threat actors lost access to all their C2 servers?

Microsoft's Offensive Against Trickbot

In October 2020, Microsoft and selected partners and hosting companies started to work together to identify and eliminate Trickbot's C2 servers.

Microsoft's initial analysis identified 69 core C2 servers that were crucial to Trickbot's operations. They disabled 62 of them immediately. The other seven were not dedicated Trickbot servers, they were infected Internet of Things (IoT) devices belonging to innocent victims.

The IoT devices had been hijacked by Trickbot. Stopping those devices from behaving as C2 servers required a little more finesse than was used to deny the other C2 servers from having a hosting base. They had to be disinfected and returned to normal duty instead of just being brought to a shuddering halt.

As you'd expect, the Trickbot gang scrambled to get replacement servers launched and operational. They created 59 new servers. These were rapidly targetted by Microsoft and its allies and all but one of these---as of 18 Oct. 2020---was disabled. Including the original 69 servers, 120 out of 128 Trickbot servers have been disabled.

How They Did It

In October 2020, Microsoft obtained a US court order allowing it and its partners to disable IP addresses used by the TrickBot C2 servers. They made both the servers themselves and their contents inaccessible to the Trickbot operators. Microsoft worked globally with telecommunication providers and industry partners including the Financial Services Information Sharing and Analysis Center (FS-ISAC), ESETLumenNTT, and Symantec.

Microsoft's Tom Burt (Corporate Vice President, Customer Security & Trust)  says Microsft can identify a new Trickbot server, figure out who the hosting provider is, straighten out the legal requirements for them to bring down the server, and then actually disable the server in less than three hours. For instances in territories where they have already closed down a C2 server, some of this can be fast-tracked because the legalities are either already in place or the process is now well understood. Their record for taking down a new C2 server is less than six minutes.

The Microsoft team continues to work with Internet Service Providers (ISPs) and national Computer Emergency Response Teams (CERTs) to help organizations clean infected computers.

So is Trickbot Dead?

It's too early to call. The infrastructure behind the malware is certainly in a poor state of health. But Trickbot has re-invented itself several times in the past. It might have done that already. Security researchers have detected a new type of malware backdoor and downloader that has code-level similarities to the Trickbot malware. The attribution for the new malware---dubbed Bazar or BazarLoader---leads straight to the Trickbot gang's door. It seems likely they were already working on a next-generation attack tool before the Microsoft offensive started.

BazarLoader uses email phishing campaigns to initiate infections but, unlike the Trickbot phishing emails, they don't carry an attachment. Instead, they have links purporting to download or open documents in Google Docs. Of course, the links take the victim to fraudulent, lookalike web sites. The content of the phishing emails has been bogus information related to topics as varied as employees' payrolls and COVID-19.

Bazar is designed to be even stealthier than Trickbot, using blockchain encryption to mask C2 server domain URLs and Domain Name System (DNS) domains. This new variant has already been seen distributing Ryuk ransomware, which historically has been a well-known customer of Trickbot. Perhaps the Trickbot group has transitioned one or more of their customers to their new product already?

Things Are Going to Get Bazar

Because Trickbot evolved from its Trojan roots to becoming an extensible cybercrime platform for hire, adding new functionality to Trickbot can be achieved relatively easily. The threat actors write a new plug-in and download it from the C2 servers to the botnet machines. A new plug-in was detected in December 2020. There's at least some life in the old malware if it is still getting new functionality.

The new plug-in allows Trickbot to perform a Unified Extensible Firmware Interface (UEFI) bootkit attack. The UEFI attack makes Trickbot much harder to remove from infected machines, even surviving complete hard drive swap-outs. It also allows the threat actors to brick a computer by scrambling its firmware.

So Trickbot might be fading away, but the group behind Trickbot is ready to deploy its new malware platform, Bazar. Microsoft and their allies certainly hurt Trickbot. With Trickbot rendered almost inoperable, the Trickbot group's customers will have been bringing pressure to bear on them to deliver illegal services that they had paid for.

And when your customers include such luminaries as North Korea's state-sponsored advanced persistent threat group (APT) Lazarus you're going to need some good answers to some hard questions about your service level agreement and customer service. This may be what led the Trickbot group to temporarily out-source some of their services to another cybercriminal group, to try to maintain some sort of operational capability.

Don't Join The Botnet Army

Regardless of how sophisticated Trickbot and Bazar may be, they are only effective if they are able to infect computers to swell the ranks of their botnet army. The key to avoiding conscription is being able to spot the phishing emails, and deleting them instead of falling for them.

Staff cyber security awareness training is key here. They receive emails all day every day. They need to be thinking defensively all the time. These points will help identify phishing emails.

  • Be suspicious of things that are out of the ordinary. Have you ever had an email from the payroll department containing links to Google Docs before? Probably not. That should raise your suspicions straight away.
  • Has the email been sent to you, or are you one of many recipients? Does it make sense that this type of email should go to a wider audience?
  • The text in a hyperlink can be made to say anything, That is no guarantee the link will actually take you there. Hover your mouse pointer over any links in the body of the email. In an email application, a tooltip will appear with the actual link destination in it. If you are using a webmail client the decoded link destination will be displayed somewhere, usually at the bottom left-hand corner of the browser window. If the link destination looks at all suspicious, don't click it.
  • Is the grammar in the email correct? Does the email strike the right tone and use the turn of phrase that you would expect in that type of communication? Spelling mistakes and bad grammar should be taken as warning signs.
  • Do logos, footers, and other elements of corporate livery appear to be genuine? Or do they look like low-quality copies that have been grabbed from elsewhere?
  • No bona fide organization will ever ask for passwords, account details, and other sensitive information.

As always, prevention is better than cure.