Microsoft Unveiling the Trickbot Network And Some Key Takeaways
Trickbot has gained a lot more coverage and attention during the last couple of weeks and many organizations have analyzed this malware in-depth to safeguard their networks. Cyber analysts and researchers have noted a significant increase in Trickbot’s use in ransomware attacks targeting everything from municipal and state governments to school districts and hospitals. Let’s dig into more details of this beast-natured malware.
Trickbot, “malware-as a service”, is dangerous
Trickbot is dangerous due to multiple reasons. Firstly, it evolves rapidly and spreads via multiple mechanisms (email and network) and hit sensitive information like credentials from an online bank account so criminals can fraudulently transfer cash. Originally, the malware started as a Banking Trojan and it was first spotted in 2016. It got distributed through phishing email attachment with some camouflaged script concealed by font coloring. This tactic turned out to be a successful one for adversaries and affected hundreds of millions of clients. Cybercriminals were able to use this trickbot infrastructure and they used to use the bonet as an entry point for human-operated campaigns, including attacks that steal credentials, exfiltrate data, and deploy additional payloads. This highly sophisticated malware proved its capability when it stopped standard Microsoft Windows defense techniques.
For the last 4-5 years, Trickbot has been linked with another dangerous botnet called Emotet. These two have been combined to deliver Ryuk, a destructive ransomware variant used to encrypt files and exfiltrate data from organizations to force victims into paying ransoms.
In the third week of October, Microsoft updated about taking down the Trickbot criminal network which uses servers and devices to spread ransomware. Trickbot not only uses servers but also the Internet of Things (IoT) devices to launch its attacks. Microsoft and its partners declared that they had eliminated 94 percent of Trickbot’s operational infrastructure. Furthermore, Microsoft also claimed that out of 69 major Trickbot servers identified, 62 have already been taken down. Microsoft and its Digital Crimes Unit are collaborating with security solutions and Internet service providers to block the Trickbot network. As a result, operators won’t be able to use this infrastructure to distribute the Trickbot malware or activate deployed payloads like ransomware.
Key takeaways from this work
The company does have three key takeaways from its work so far.
The first and foremost takeaway, since Microsoft securing its initial court order as it disabled infrastructure, it has acquired plenty of other court orders to ensure that other elements of the infrastructure are also taken down legitimately. Moreover, Microsoft has also been coordinating with its global partners and security providers to uncover new command-and-control servers as well as compromised IoT devices.
Secondly, it is also suggested by Microsoft digital Cyber Security unit that individuals operating Trickbot have been collaborating and with other criminals to set up new infrastructure and collaborate to deploy malicious payload. However, this tactic would not be as dangerous as Trickbot but still it the time to safeguard our networks against it.
Thirdly, Microsoft claims with utmost confidence that its Digital Crimes Unit is well-versed and highly-trained in Trickbot’s infrastructure and identifying malicious activities, and will continue to disrupt the botnet’s operation in the coming future.
NetworkFort Team provides assistance
The NetworkFort is a security providing firm that offers various services and security tools for cyber threat prevention, protection, and response. It provides social engineering and phishing training to employees to contain this ‘malware-as a service’. More information regarding this issue, as well as 24×7 cybersecurity assistance is available at http://www.networkfort.com