ESET researchers have participated in a global operation to disrupt the Trickbot botnet, which has, since 2016, infected over a million computing devices. Along with partners Microsoft, Lumen’s Black Lotus Labs Threat Research, NTT and others, the operation impacted Trickbot by tanking their command and control servers. ESET contributed to the effort with technical analysis, statistical information, and known command and control server domain names and IPs. Trickbot is known for stealing credentials from compromised computers and, more recently, has been observed mostly as a delivery mechanism for more damaging attacks, such as ransomware.
ESET Research has been tracking its activities since its initial detection in late 2016. In 2020 alone, ESET’s botnet tracker platform analyzed more than 125,000 malicious samples and downloaded and decrypted more than 40,000 configuration files used by the different Trickbot modules, giving an excellent viewpoint of the different C&C servers used by this botnet.
“Over the years we’ve tracked it, Trickbot compromises have been reported in a steady manner, making it one of the largest and longest-lived botnets out there. Trickbot is one of the most prevalent banking malware families, and this malware strain represents a threat for internet users globally,” explains Jean-Ian Boutin, Head of Threat Research at ESET.
Throughout its existence, this malware has been distributed in a number of ways. Recently, a chain we observed frequently is Trickbot being dropped on systems already compromised by Emotet, another large botnet. In the past, Trickbot malware was leveraged by its operators mostly as a banking trojan, stealing credentials from online bank accounts and trying to perform fraudulent transfers.
One of the oldest plugins developed for the platform allows Trickbot to use web injects, a technique allowing the malware to dynamically change what the user of a compromised system sees when visiting specific websites. “Through our monitoring of Trickbot campaigns, we collected tens of thousands of different configuration files, allowing us to know which websites were targeted by Trickbot’s operators. The targeted URLs mostly belong to financial institutions,” adds Boutin.
“Trying to disrupt this elusive threat is very challenging as it has various fallback mechanisms, and its interconnection with other highly active cybercriminal actors in the underground makes the overall operation extremely complex,” concludes Boutin.