Microsoft’s Defender team, FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, and Broadcom’s cyber-security division Symantec join forces to take down the command and control infrastructure of the infamous TrickBot botnet.
The joint collaboration was undertaken after the US District Court for the Eastern District of Virginia granted their request to halt TrickBot’s operations. The TrickBot botnet was considered to be one of the biggest botnets.
This development comes after the US Cyber Command arranged a campaign to prevent TrickBot’s spread over concerns of ransomware attacks targeting voting systems ahead of the presidential elections next month.
Microsoft and the partner companies analyzed more than 186,000 TrickBot samples and used it to track down the malware’s command-and-control (C2) infrastructure employed to communicate with the victim machines and identify the IP addresses of the C2 servers and other TTPs applied to evade detection.
The court gave permission to the joint forces to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the TrickBot operators to purchase or lease additional servers.
The security firms said that TrickBot botnet had infected more than one million devices at the time of its takedown.
TrickBot started as a banking Trojan in late 2016 and then evolved into a Swiss Army knife that could steal sensitive information, and even drop ransomware and post-exploitation toolkits on compromised devices besides recruiting them into a family of bots.
Microsoft stated that TrickBot’s operators were able to build a massive botnet, and the malware evolved into a modular malware available for malware-as-a-service.
The TrickBot infrastructure was made available to cybercriminals who used the botnet as an entry point for human-operated campaigns, including attacks that steal credentials, exfiltrate data, and deploy additional payloads.
TrickBot was also deployed as a second-stage payload of another botnet called Emotet.
According to Microsoft, this new action might not permanently disrupt TrickBot, and that the operators behind the botnet might take steps to revive their operations.
Image Credits : BankInfoSecurity