Trickbot Explained

Trickbot was a trojan for Microsoft Windows and other operating systems.[1] Its major function was originally the theft of banking details and other credentials, but its operators have extended its capabilities to create a complete modular malware ecosystem.[2]

Capabilities

Trickbot was first reported in October 2016. It is propagated by methods including executable programs, batch files, email phishing, Google Docs, and fake sexual harassment claims.[3]

The Web site Bleeping Computer has tracked the evolution of TrickBot from its start as a banking Trojan. Articles cover its extension to attack PayPal and business customer relationship management (CRM; June 2017),the addition of a self-spreading worm component (July 2017), coinbase.com, DKIM support to bypass email filters, steal Windows problem history, steal cookies (July 2019), targets security software such as Microsoft Defender to prevent its detection and removal (July 2019), steal Verizon Wireless, T-Mobile, and Sprint PIN codes by injecting code when accessing a Web site (August 2019), steal OpenSSH and OpenVPN keys (November 2019), spread malware through a network (January 2020), bypass Windows 10 UAC and steal Active Directory credentials (January 2020), use fake COVID-19 emails and news (since March 2020), bypass Android mobile two-factor authentication, checks whether it is being run in a virtual machine (by anti-malware experts; July 2020), infecting Linux systems (July 2020).

TrickBot can provide other malware with access-as-a-service to infected systems, including Ryuk (January 2019) and Conti ransomware; the Emotet spam Trojan is known to install TrickBot (July 2020).[4]

In 2021, IBM researchers reported that trickbot had been enhanced with features such as a creative mutex naming algorithm and an updated persistence mechanism.[5]

Infections

On 27 September 2020, US hospitals and healthcare systems were shut down by a cyber attack using Ryuk ransomware. It is believed likely that the Emotet Trojan started the botnet infection by sending malicious email attachments during 2020. After some time, it would install TrickBot, which would then provide access to Ryuk.[6]

Despite the efforts to extinguish TrickBot, the FBI and two other American federal agencies warned on 29 October 2020 that they had "credible information of an increased and imminent cybercrime [ransomware] threat to US hospitals and healthcare providers" as COVID-19 cases were spiking. After the previous month's attacks, five hospitals had been attacked that week, and hundreds more were potential targets. Ryuk, seeded through TrickBot, was the method of attack.[7]

Arrests

In August 2020, the Department of Justice issued arrest warrants for threat actors running the Trickbot botnet. In January 2021, an administrator of the virus distribution component of the Trickbot, Emotet, was arrested in Ukraine. In February 2021, Max (AKA: Alla Witte; Alla Klimova; Алла Климова;) a developer of Trickbot platform and ransomware components, was arrested.[8] [9] [10]

Retaliation

From the end of September 2020, the TrickBot botnet was attacked by what is believed to be the Cyber Command branch of the US Department of Defense and several security companies. A configuration file was delivered to systems infected by TrickBot that changed the command and control server address to 127.0.0.1 (localhost, an address that cannot access the Internet). The efforts actually started several months earlier, with several disruptive actions. The project aims for long-term effects, gathering and carefully analyzing data from the botnet. An undisclosed number of C2 servers were also taken down by legal procedures to cut their communication with the bots at the hosting provider level. The action started after the US District Court for the Eastern District of Virginia granted Microsoft's request for a court order to stop TrickBot activity. The technical effort required is great; as part of the attack, ESET's automatic systems examined more than 125,000 Trickbot samples with over 40,000 configuration files for at least 28 individual plugins used by the malware to steal passwords, modify traffic, or self-propagate.

The attacks would disrupt the TrickBot significantly, but it has fallback mechanisms to recover, with difficulty, computers removed from the botnet. It was reported that there was short-term disruption, but the botnet quickly recovered due to its infrastructure remaining intact.[11] [2] [12]

The US government considered ransomware to be a major threat to the 2020 US elections, as attacks can steal or encrypt voter information and election results, and impact election systems.[11]

On 20 October 2020, a security message on the Bleeping Computer website reported that the Trickbot operation was "on the brink of completely shutting down following efforts from an alliance of cybersecurity and hosting providers targeting the botnet's command and control servers", after the relatively ineffective disruptive actions earlier in the month. A coalition headed by Microsoft's Digital Crimes Unit (DCU) had a serious impact, although TrickBot continued to infect further computers. On 18 October, Microsoft stated that 94% of Trickbot's critical operational infrastructure - 120 out of 128 servers - had been eliminated. Some Trickbot servers remained active in Brazil, Colombia, Indonesia, and Kyrgyzstan. Constant action, both technical and legal, is required to prevent Trickbot from re-emerging due to its unique architecture. Although there was no evidence of TrickBot targeting the US election on 3 November 2020, intense efforts continued until that date.[13]

Notes and References

  1. Web site: Advisory: Trickbot. 2020-10-13. www.ncsc.gov.uk. en.
  2. Web site: 2020-10-12. Trickbot disrupted. 2020-10-13. Microsoft Security. en-US.
  3. Web site: TrickBot Malware Uses Fake Sexual Harassment Complaints as Bait . Gatlan . Sergiu . BleepingComputer . 11 November 2019 .
  4. Web site: Articles tagged with TrickBot . Bleeping Computer . 29 October 2020 . A list of Bleeping Computer articles about TrickBot, with descriptive titles, starting in 2016.
  5. Web site: 2021-02-02. Is It Impossible To Take Down TrickBot Permanently?. 2021-04-14. The Hack Report. en-US.
  6. Web site: UHS hospitals hit by reported country-wide Ryuk ransomware attack . Gatlan . Sergiu . BleepingComputer . 28 September 2020 .
  7. Web site: US hospital systems facing 'imminent' threat of cyber attacks, FBI warns . Staff and agencies . The Guardian . 29 October 2020 .
  8. Web site: Trickbot Gang Arrest – Story of Alla Witte . Hold Security . 2 July 2022 . https://web.archive.org/web/20210608163352/https://holdsecurity.com/news/2021/06/trickbot-gang-arrest-story-of-alla-witte/ . 2021-06-08.
  9. Web site: Seals . Tara . June 8, 2021 . TrickBot Coder Faces Decades in Prison . threat post . 2 July 2022 . https://web.archive.org/web/20210608204121/https://threatpost.com/trickbot-coder-decades-prison/166732/ . June 8, 2021 . en.
  10. Web site: Latvian National Charged for Alleged Role in Transnational Cybercrime Organization . justice.gov . https://web.archive.org/web/20210608222352/https://www.justice.gov/opa/pr/latvian-national-charged-alleged-role-transnational-cybercrime-organization . 2021-06-08 . en . 4 June 2021.
  11. Web site: TrickBot botnet targeted in takedown operations, little impact seen . Ilascu . Ionut . BleepingComputer . 12 October 2020 .
  12. News: Greene. Jay. Nakashima. Ellen. Microsoft seeks to disrupt Russian criminal botnet it fears could seek to sow confusion in the presidential election. en-US. Washington Post. 2020-10-13. 0190-8286.
  13. Web site: TrickBot malware under siege from all sides, and it's working . Ilascu . Ionut . BleepingComputer . 20 October 2020 .