Snynet Solution Logo
MON - SUN: 10 AM - 6 PM
+60 11 5624 8319

Blog

The Avengers of security teamed up to try and take down the TrickBot botnet

Image Description

The backend infrastructure of the TrickBot botnet has been disabled thanks to the work of Microsoft and a coalition of security firms and telecoms.

The software giant's Defender team worked together with FS-ISAC, ESET, Lumen's Black Lotus Labs, NTT and Broadcom's cybersecurity division Symantec to accomplish the feat which took months of preparation.

First spotted in 2016, TrickBot was initially a banking trojan that was a successor to Dyre before it evolved to perform a number of other malicious activities including spreading laterally through a network, stealing saved credentials in browsers, stealing cookies and infecting Linux machines.

The malware is usually delivered via email campaigns that leverage current events or financial lures in order to trick users into opening malicious file attachments or links to websites hosting malicious files. After infecting a system with TrickBot, cybercriminals then used it to install reconnaissance tools such as PowerShell Empire, Metasploit and Cobalt Strike to steal credentials and network configuration information.

Taking down TrickBot

In order to take down the TrickBot botnet, Microsoft, ESET, Symantec and other partners spent months collecting over 125,000 samples of the malware. They then analyzed these samples and extracted and mapped information about how the malware worked including the servers the botnet used to control infected computers.

After collecting this information on TrickBot's inner workings, Microsoft then went to the US District Court for the Eastern District of Virginia where the company asked a judge to grant it control over the botnet's servers. 

Corporate vice president of customer security and trust at Microsoft, Tom Burt provided further insight on how the company used the court's ruling to disable TrickBot's backend infrastructure in a blog post, saying:

“As we observed the infected computers connect to and receive instructions from command and control servers, we were able to identify the precise IP addresses of those servers. With this evidence, the court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers.”

While TrickBot appears to be out of commission for now, the botnet could return as other botnets have managed to survive similar takedown attempts in the past. Only time will tell if Microsoft and its partner's efforts were successful though even then, another botnet will likely rise up to take TrickBot's place.

Via ZDNet

Date

14 Oct 2020

Sources


Share


Other Blog

  • Don't miss this Black Friday deal on the new Apple MacBook Pro (M1) - it's selling fast

    Save $50 / £50 on the brand new Apple MacBook Pro (M1) today with the latest round of Black Friday deals.

    Read More
  • Nvidia RTX 3080 Ti and RTX 3070 Ti cards may launch in early June

    Nvidia is reportedly set to announce the RTX 3080 Ti and RTX 3070 Ti by May 31, with a hard launch to follow a week or two after that.

    Read More
  • Now is the time to teach kids how to stay safe online

    Practical advice for parents hoping to educate their children about online security.

    Read More
  • Stolen UK consumer data up for sale on sale online

    Cybercriminals are selling stolen data pertaining to UK consumers on the dark web.

    Read More

Find Out More About Us

Want to hire best people for your project? Look no further you came to the right place!

Contact Us