A Malware with Nine Lives:The Revitalization of TrickBot

Jun 5

Last year there was a massive campaign orchestrated by Microsoft (along with a long list of partners) to take down the botnet that powers the TrickBot malware. Microsoft was able to directly attack the infrastructure around TrickBot and take out access to Command and Control (C2) servers that allow attackers to run the malware. However, despite this take down, since January of this year Cybersecurity researchers have seen the return of TrickBot with new C2 servers in place and new industries being targeted.

What is TrickBot?

TrickBot malware first tracked in 2016 as a banking Trojan was used primarily against financial institutions. Since then, TrickBot vastly expanded its abilities to include different modules that allow it to run different attacks. TrickBot’s techniques have examples from every MITRE ATT&CK category, including:

· Stealing passwords from storage (T1555)

· Network scanning and spread through SMB exploitation (T1018)

· Communication with command and control servers (TA0011)

· Man in the Browser attacks (T1185)

· Downloading and deployment of additional malware modules (T1105)

TrickBot typically uses spear phishing (T1566.002) and malicious attachments (T1566.001) to infect systems. Once in place, TrickBot reaches out to command-and-control (C2) servers that then download modules to run the various attacks above including the Emotet and Ryuk ransomware. At the time of the initial take down, it was estimated that TrickBot had infected over 1 million devices worldwide.

What makes TrickBot so Popular?

TrickBot is one of the most flexible malware kits available. This is makes it extremely popular with cybercriminals who can use it to execute different infection and attack vectors which allows it to evolve as new security controls are in place. This flexibility also makes it a perfect vehicle to deliver other malware.

The cybercriminals that run the TrickBot malware are able to leverage this flexibility to rent out their services to other cybercriminal gangs. One of the most popular forms of this is using TrickBot to install ransomware, including the Ryuk or Conti ransomware. In this sense, you can think of TrickBot as the delivery vehicle for Ryuk ransomware that is then used to exploit payments out of their targets.

TrickBot is also filling in the hole that was left by the take down of another botnet used for delivering malware, Emotet. Emotet is similar to TrickBot in that it infects system using spear phishing campaigns, establishes C2 communication, and then starts to download additional malware including ransomware. In fact, security researchers have noted instances where TrickBot operators use machine previously compromised by Emotet to load TrickBot on the system which is then used to infect the system with Ryuk or another ransomware.

However, in January of this year, Emotet was taken down as part of operations coordinated between Europol and the FBI along with other police agencies around the world. This over two-year investigation allowed law enforcement agencies to take control of hundreds of servers that were used to run Emotet’s infrastructure. With Emotet currently down, cybercriminals have turned back to TrickBot as a means to compromise machines and deliver malware. This has led to a revitalization of TrickBots C2 infrastructure. Security researchers believe that law firms and insurance companies in particular are currently being targeted in North America.

How do I Mitigate TrickBot?

There are several controls that can help mitigate TrickBot activity or at least minimize the impact of an successful infection. These include:

· Security awareness training users to recognize spear phishing attempts and report them to IT or Security Team for review.

· Add email firewall

· Disable the automatic use of macros in documents. (discuss limiting macro use as well. Mentioned in one of the presentations)

· Ensure that SMB version 1 is disabled and SMB v2 is hardened against lateral attacks.

· Monitor web traffic to ensure that malicious domains or other indicators of C2 traffic are identified.

· Use advance endpoint security software to monitor and detect for TrickBot activity.

· Enable multifactor authentication on accounts.

In addition to these, the Cybersecurity and Infrastructure Security Agency (CISA) released a bulletin on March 21, 2021 containing detection signatures to help find and prevent TrickBot activity. You can find more information here.