Professional Documents
Culture Documents
TrickBot Botnet Targeting Multiple Industries
TrickBot Botnet Targeting Multiple Industries
Summary
Introduction
TrickBot is among the largest malware botnets in the world and ranks among the top 3 most popular
Malware-as-a-service (MaaS) operations in the cybercrime underworld. It first appeared in 2016 as a
banking trojan meant to steal information and provide backdoor access to spread other malware
Key Attributes
According to the coalition representatives, TrickBot had infected more than one million computers at
the time of the planned takedown. Researchers spent months collecting and examining malware,
including servers used for controlling and infecting machines around the world.
Researchers have also taken action and approval to disable IP addresses, suspend services, and block
efforts by TrickBot operators to purchase more servers. The botnet survived the attempted take down
attempts coordinated by the tech coalition.
TrickBot is one of the biggest botnets in the world today. The malware was first created as a banking
Trojan in 2016 and was then turned into a multi-function malware downloader that infects systems and
provides access to other criminal gangs via the MaaS model.
During the election, the primary concerns of the malware are the potential to deliver ransomware or
DDoS attacks which would eventually disable voter registration systems.
TrickBot could also deliver a trojan that targets online banks and submit email campaigns to move in a
network laterally. The botnet could scrap the login details before ransomware attacks the device.
The coordinated attacks on TrickBot were minimal and, despite these efforts, the command and control
servers that were seized have already been substituted with new infrastructure.
TrickBot operates on a bulletproof hosting system that is unresponsive or slow to react to takedown
attempts, which is likely the reason for its survival.
Researchers successfully asserted in a recent legal precedent that TrickBot was infringing on Microsoft’s
code copyright by copying and using its software development kits (SDKs) for fraudulent purposes. This
methodology by Microsoft will help with jurisdiction issues when running more takedowns against
TrickBot.
While the TrickBot botnet is a persistent threat that requires engagement, disabling TrickBot
temporarily brought the U.S. valuable time to improve defenses. Security researchers noted that
TrickBot botnet attacks have slackened from thousands to hundreds per day.
Insights
TrickBot is a successor to the Dyre banking trojan which was initially designed to steal banking
credentials, as per researchers. But over years, its operators built the trojan into a substantial botnet.
The botnet was made available as a Malware-as-a-service (MaaS) to cyber criminals, who were given
access to the botnet to use as an entry point to install recon tools such as PowerShell Empire,
Metasploit, Cobalt Strike, etc. These tools were then used to exfiltrate data, deploy additional payloads,
steal credentials and most particularly the Ryuk ransomware. Emotet malware was also observed
serving TrickBot payloads to infected machines.
CYFIRMA – as part of its Cyber-threat predictions for 2020 – has called out that threat actors would
potentially recycle and repurpose existing malwares to carry out cyber-attacks. TrickBot being a
commodity malware, has been leveraged in the past and would continue to be leveraged further by
threat actors to launch new set of attacks to achieve their goals.
Indicators Of Compromise
Note: Kindly refer to the IOCs Section to exercise controls on your security systems
TACTICAL RECOMMENDATIONS
Implement spam filters that can be enabled to recognize and prevent emails from suspicious
sources from ever reaching the inbox of employees.
Train employees to recognize phishing attacks to avoid clicking on malicious links. For example,
if the domain of the link to which you are being directed does not match the purported
company domain, then the link is a fake.
Build and undertake safeguarding measures by monitoring/ blocking the IOCs, and strengthen
defenses based on tactical intelligence provided
Strategic:
Establish a plan for Incident Response, Disaster Recovery and Business Continuity plans
Implement critical data Protection Program
Management
Conduct thorough identification and prioritization of cyber risks and critical data through
risk assessments, vulnerability assessments, and system reviews.
Implement prudent systems, processes, and procedures to manage and mitigate risks.
Effective implementation of security initiatives that encompasses awareness building and
training across the organization