TrickBot survives Microsoft and other tech companies’ initiated takedown

Microsoft and other companies tried to take down the infamous TrickBot botnet

Tech companies participated in the takedown of TrickBot botnet.

Microsoft announced^[1] that joint efforts with several other tech companies finally helped to take down the TrickBot botnet. Even though temporarily, cybercrime got stopped. The TrickBot malware managed to reach more than a million computers since 2016 by organizing ransomware attacks with a Russian-based network of devices.

The joint collaboration of Microsoft's Defender^[2] team, ESET,^[3] FS-ISAC,^[4] NTT, Lumen's Black Lotus Labs,^[5] and Broadcom's cyber-security division Symantec^[6] was not short. Companies spent months collecting TrickBot malware samples, analyzing the content, and extracting, mapping information about the ransomware's inner workings. Cybersecurity specialists collected more than 186,000 samples and managed to analyze all information hoping it would help the US Government take down the notorious TrickBot botnet.

After tech companies found enough information this month, Microsoft went to court and asked to grant it control over TrickBot servers.^[7] Microsoft explained:^[1]

With this evidence, the court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers.

Computer emergency readiness teams (CERTs) and internet service providers (ISPs) are now trying to notify all infected users. Even though this was a failed takedown attempt, a new legal precedent gets set. Microsoft argued in court and based their case on findings and legal moves.

The TrickBot – one of the biggest botnets in the world

This botnet started working in 2016. In the beginning, TrickBot started with a banking trojan, but soon it shifted to a multi-purpose malware downloader that tried to infect systems and provided access to other cybercriminals groups using the MaaS (Malware-as-a-Service) business model.

Even though TrickBot botnet, together with Emotet, has been one of the most active MaaS platforms that often rented access to infected devices to ransomware gangs, TrickBot was also engaged in other activities. Also, TrickBot provided access to corporate networks for industrial espionage gangs, BEC scammers, and nation-state cybercriminals.

Microsoft explained that TricBot was typically delivered via email campaigns that used financial lures or current events to entice users to open malicious file attachments or click URLs to websites hosting the malicious files.^[2]

Of course, TrickBot used other methods too. For example, the malware was also deployed through lateral movement via Server Message Block (SMB) or as a second-stage payload of another botnet called Emotet.

Microsoft achieved a different goal with their takedown attempt

Trickbot disruption efforts ended in the temporary takedown, but companies knew that these servers would not be disabled forever. Microsoft and partners aimed to damage the reputation of these malicious actors among other cybercrime gangs.

The company successfully argued that in court, even though the takedown is not permanent. This approach focused on the misuse of Windows SDK code is easy to prove and argue. This also serves as a legal move from the Microsoft end when going after malware gangs. This will be the new legal precedent and the argument that Microsoft most likely will use in later cases while taking malware down.

Security experts say that people should always think twice before downloading any suspicious email attachment or installing unofficial software.