TrickBot really is on the run after Microsoft, Cyber Command disruption

Written by

After some initial doubts, Tuesday brought encouraging signs that a multi-front attempt to dismantle the massive TrickBot botnet in advance of Election Day has taken root, perhaps thanks to an extra push.

In recent weeks, a Pentagon hacking division and a coalition of organizations led by Microsoft took aim at TrickBot, one of of the world’s largest armies of zombie computers. Fears that attackers could use the botnet to deploy ransomware and disrupt the 2020 election motivated the takedown bids.

Microsoft said on Tuesday that, as of the start of this week, it had disabled 120 out of 128 command-and-control servers the company identified as part of TrickBot’s infrastructure, good for a 94% takedown rate. Nearly 60 of the 128 sprung up as cybercriminals sought to fortify its infrastructure, after which Microsoft said it shut down all but one.

“To be clear, these numbers will change regularly as we expect action we’ve already taken will continue to impact the remaining infrastructure and as we and others continue to take new action between now and the election,” wrote Tom Burt, Microsoft’s corporate vice president for customer security and trust. “This is challenging work, and there is not always a straight line to success. At the same time, we’re pleased with our progress and for several reasons I’m optimistic about the outcomes we can achieve.”

Microsoft’s takedown ran parallel to an operation by Cyber Command, the cyber-offensive wing of the U.S. Department of Defense.

Shortly after news of those operations broke, a number of companies said they saw little evidence that the TrickBot disruption was having a major impact. One of those firms, however, also said Tuesday that there were signs the effort was making a difference.

Intel 471 based its conclusion that the operation was showing “promise” on a look at control servers in a TrickBot sample. None of the servers could respond to TrickBot requests.

“Intel 471 believes disruption operations against Trickbot are currently global in nature and have had success against Trickbot infrastructure,” the company wrote. “Regardless, there still is a small number of working controllers based in Brazil, Colombia, Indonesia and Kyrgyzstan that still are able to respond to Trickbot bot requests.”

Microsoft’s Burt wrote that he was hopeful about ongoing success because since an initial court order, the company has returned to court for additional orders to tackle the regenerated infrastructure. Its coalition of companies has remained dedicated to uncovering more servers, he said. Furthermore, the goal was always to disrupt TrickBot around the election, and those behind the botnet appear dedicated to rebuilding it rather than launching new attacks.

“In fact, we and others have detected the Trickbot operators attempting to use a competing criminal syndicate to drop what were previously Trickbot payloads,” he said. “This is one of many signs that suggests to us that, faced with its critical infrastructure under repeated attack, Trickbot operators are scrambling to find other ways to stay active.”