Skip to content
Naked Security Naked Security

Microsoft on the counter­attack! Trickbot malware network takes a hit

The crooks haven't yet been caught and arrested, but their malware distribution network has been hit hard.

Good news, for a while at least.
Microsoft went to US District Court for the greater good of all of us and came away with a court order permitting it to take over a whole raft of internet servers.
The company was authorised to take over a wide range of IP numbers, effectively ripping them out from under their existing users and repurposing them for use by Microsoft itself.
As you can imagine, the courts don’t take decisions like this lightly, especially if those IP numbers were allocated in good faith for another company to operate its business.
After all, the IP-ripper would be able to shut down some or all of the operations of the IP-rippee just like that, by “blackholing” all the servers so they appeared to have vanished from the internet.
Even more seriously, the ripper could do some sort of selective blackholing, pretending to keep the servers alive to see who came along, potentially reading other people’s emails, taking over login pages, replacing the rippee’s software downloads with competing products, and more.
But these weren’t IP numbers that were being used in good faith by a legimate business.
These were servers that Microsoft had tied back to the operation of a large, long-lived and destructive zombie network known as Trickbot.

Trickbot in the spotlight

Sadly, we’ve had to write about Trickbot many times over the years, as the criminals behind the operation have spammed out wave after wave of deviously constructed emails under a wide variety of guises, all with the ultimate goal of infecting as many victims as possible with zombie malware.
In March 2020, for example, these crooks sent out a sea of messages tapping into early fears about the coronavirus pandemic, falsely telling recipients in Italy that “[b]ecause there are documented infections in your area […] we strongly recommend that you read the document attached to this message!

https://nakedsecurity.sophos.com/2020/03/05/coronavirus-warning-spreads-computer-virus/

In June 2020, the crooks hooked into the momentum of the Black Lives Matter movement, sending out this apparently innocent-looking but malware-infected email:

Sneakily, these crooks were smart enough not to pick a side, not to pile on any pressure, and not to play on emotions such as guilt or fear.
Instead they appealed to anyone and everyone by simply inviting you to have your say by completing a survey in the document and submitting it anonymously.
Except that it wasn’t a survey but a trick to run a program embedded in the document to implant the malware on your computer.
The crooks even went as far to pretend to be helpful, urging you to download an Office update in the background while having your say, and politely warning you that you might incur internet charges if you downloaded the “update” on a metered connection:

Some Office update!
If you proceeded with the “download”, you’d end up co-opted into Trickbot’s zombie network, also known as a botnet (short for robot network, thus the name bot for the malware part), and you’d end up with malware running in the background on your computer.
This zombie malware would regularly “call home” to one or more the Trickbot servers for instructions on what sort of cybercriminality to indulge in next.

https://nakedsecurity.sophos.com/2020/06/11/crooks-hijack-black-lives-matter-to-spread-zombie-malware/

It usually ended in ransomware

As if that weren’t bad enough already, one of the remote commands that computers infected with the Trickbot zombie could receive from its overlords was an instruction to download and launch yet another piece of malware.
For many victims, that command would be “infect yourself with this ransomware and prepare to have all your data scrambled on demand”.
So Trickbot infections often added a destructive insult to an already costly injury, typically ending up in a Ryuk ransomware attack.
Ryuk, named after a character in the manga series Death Note, has similarly been around for several years, and the malware crew behind it were early and enthusiastic adopters of what are now called “human-led” attacks that typically end up in extortion demands that run into millions of dollars.

https://nakedsecurity.sophos.com/2018/12/18/after-samsam-ryuk-shows-targeted-ransomware-is-still-evolving/

By “human-led”, we mean that the ransomware isn’t just left to is own devices to spread and infect once the crooks have a foothold inside your network.
Instead, the criminals take oversight of both the network and the malware, typically ending up with a detailed understanding of your IT systems that they use to find and wipe out your backups, make sure your top-value servers are on the destruction list as well as your laptops, and pick the nastiest possible time to attack.

What will Microsoft’s takedown achieve?

At this point, you might be wondering what a network takedown of a could possibly do to to reign in the operation of a combined zombie/ransomware cybercrime gang of this sort.
Well, as Microsoft puts it:

We disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world. We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.

Simply put, the idea is to do two things:

  • Prevent the download and deployment of Trickbot or any other malware in the first place, thus limiting the number of new infections.
  • Prevent the transfer of malicious commands to any computer that’s already infected, thus leaving it high and dry and unable to do any more damage.

The jargon term for the set of computers disrupted by Microsoft is a C2 network, or C&C network, where C&C is short for command-and-control.
In theory, then, this takedown will greatly reduce the ability of the crooks to get malware onto your computer to start with, and also limit their ability to take over any infected computers even if they are able to zombify them in the first place.
It’s a bit like squashing a gun-running operation by shutting down the supply lines by which the weapons were distributed, and reducing the impact of any guns already in circulation by leaving them with no ammunition to fire in any case.

Is that the end of Trickbot and Ryuk?

Sadly, disruptions of this sort don’t solve the problem at source, not least because the criminals themselves still haven’t been identified and arrested.
But even if the crooks aren’t finished yet, neither is Microsoft:

We fully anticipate Trickbot’s operators will make efforts to revive their operations, and we will work with our partners to monitor their activities and take additional legal and technical steps to stop them.

Last week, we said a big thanks to ransomware victims who, despite being in deep water themselves, neverthless refused to pay up because they knew that doing so would directly fund future ransomware attacks.
Today, we’re saying thanks to Microsoft for all the effort behind a takedown of this size.


2 Comments

It’s a good news that someone took this initiative. But should the initiative take by government(s) or public organization(s) instead of a “private” company?

Why not both? Microsoft apparently used copyright law, amongst other things, because the crooks were ripping off their code for wildly unlawful purposes. This wasn’t an extra-judicial “counterhack” – it was a court-approved takedown process. The cops would presumably have needed Microsoft to go to the same amount of effort to do this work under the aegis of The People, and law enforcement would presumably have had to stop any criminal investigation for a while in order to make time to proceed with any civil action. Seems like a good division of labour to do it this way, and it might even lawfully collect extra evidence for law enforcement that they don’t have the time or reach (read: funding) to do on their own. Sort of “parallel processing”, if you like.
(And remember that a criminal remedy might turn out to be as good as impossible anyway even if suspects are identified – some jurisdictions don’t extradite their own citizens, at which point, that’s that.)

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?