Microsoft Severely Disrupted the Trickbot Botnet Operations

By Bill Toulas / October 12, 2020

Trickbot was playing with fire recently, actively trying to target systems that are linked with the 2020 Presidential Elections in the United States, so the heat around them was high. As we have seen happen again in the past, Microsoft has managed to figure out what key infrastructure is used by Trickbot and then worked together with telecommunications providers to take it down by seizing it. Thus, the botnet actors can no longer distribute ransomware, trojans, or phishing emails laced with macro-ridden documents to Americans.

Much has changed since Trick first appeared in the cyberspace in 2016. It went from a promising banking trojan to a fully-fledged Malware as a Service (MaaS) platform, building a massive botnet along the way. The modular nature of Trickbot gave it ultimate versatility, while the multi-stage function helped actors evade detection with relatively simple changes like using different wrappers, templates, samples, etc.

Source: Microsoft

With the rise of the Coronavirus outbreak, the Black Lives Matter movement, and now the presidential elections, Trickbot went ecstatic as they could now blend with countless other threats or even legitimate emails using the same themes. In most cases, Word document macros, VBAs, and Java Network Launch Protocol attachments.

Source: Microsoft

Four teams of Microsoft (365 Defender Threat Intelligence, 365 Defender Research, Digital Crimes Unit, and Detection and Response) worked together with Broadcom’s Symantec, ESET, and other companies, to identify the botnet’s key infrastructure without raising any flags. Once they did, they compiled the list with the associated IP addresses that were under the jurisdiction of the Eastern District of Virginia court and convinced the federal judge of the copyright law infringements that should enable them to legally seize that infrastructure.

Related: Trump-Themed Phishing Campaign Demonstrates Hacker Reflexes

Last week, the U.S. Cyber Command had a try against Trickbot, sending bad information to the operators, which however didn’t yield positive results. It is possible that the Cyber Command and the FBI were supporting the tech companies in this latest action, as the FBI has also identified three key members of the Trickbot group, and the indictments are to be unsealed soon.

Does this mean that there will be no more Trickbot? That was certainly a big disruption in the United States, but Trickbot still maintains control points in at least another 20 countries, so the group will now attempt to communicate with US-based infections from elsewhere. It will be hard, and researchers will be watching them, but abandoning the space isn’t likely. Finally, we can’t possibly know how many admins are left besides the three identified by the FBI, which will play a critical role.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: