Despite attempted to stop the criminal hacking group responsible for managing the Trickbot trojan, they continue malicious activities by introducing new versions that make this malware more difficult terminate. Trickbot now can offer other malware with Access-as-a Service capabilities (AaaS). Many cyber threat attacks start with a successful phishing campaign. This allows for the Trickbot malware trojan to be used as a pathway for ransomware infections and Denial-of-Service Attacks (DDoS attacks). Image: CRN Australia.
The latest Trickbot versions 2000016 and 100003 were introduced on 3 November and 18 November 2020 respectively, with changes that include using a new command-and-control infrastructure based on MikroTik routers and only using packed modules. Researchers claim that the malware was last updated in August of 2020.
Version 2000016 was active for only about three weeks after Microsoft collaborated with other cybersecurity companies and government agencies to take down the 1 million-device Trickbot botnet, as noted by Bitdefender[1] in a recent report.[2] "Completely dismantling Trickbot has proven more than difficult, and similar operations in the past against popular Trojans has proven that the cybercriminal community will always push to bring back into operation something that's profitable, versatile and popular." Trickbot might have suffered a serious setback, but its operators seem to be working in earnest to bring it back, potentially more resilient and difficult to extirpate than ever before." The newest Trickbot versions have been used in attacks in the US, Malaysia, Romania, Russia and Malta. "When Microsoft decided to take down Trickbot before the US elections, fearing the massive botnet could be used to inhibit the voting process in some way, the endeavor proved to be more like a 'kneecapping' operation rather than cutting the hydra's heads," says Bitdefender. "This was likely a short-term tactic, potentially just to make sure that Trickbot would not cause any issues during the elections."
The latest version of the malware contains the same full list of modules that was used before the takedown attempt, along with a few changes. An example is it no longer uses a share.dll, or mshare.dll, in its packed version. The researchers believe this likely indicates that Trickbot's operators are moving away from unpacked modules and cleaning up their list of lateral movement modules to only use packed ones.
The action against Trickbot's infrastructure forced its owners to take some additional steps to help ensure that any further efforts to take down the malware were unsuccessful. For communications between victims and the command-and-control servers, the 2000016 version of TrickBot is digitally signed using the password hashing function bcrypt. This usage was removed with the release of version 100003. That version of the malware only uses MikroTik for its command-and-control efforts. Another safeguard put in place is the use of an EmerDNS domain as a backup in case no known command-and-control server responds.
Researchers noted, "What's interesting about this particular domain is that the EmerCoin key (EeZbyqoTUrr4TpnBk67iApX2Wj3uFbACbr) used to administer the server also administers some [command-and-control] servers that belong to the Bazar backdoor. The analyzed sample (82e2de0b3b9910fd7f8f88c5c39ef352) uses the morganfreeman.bazar domain, which has the 81.91.234.196 IP address and running MikroTik v6.40.4."
Microsoft reported on 12 Oct0ber 2020 that it had obtained a court order from the US District Court for the Eastern District of Virginia which permitted Microsoft to disable the servers that hosted Trickbot.[3] Yet within a few days, security firms CrowdStrike and Malwarebytes reported the botnet was being reassembled, although activity levels were much lower than before the take-down effort.[4]
The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to a successful cyber security program. Yet are not enough. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
Red Sky Alliance has been tracking cyber criminals for years. Throughout our research we have painfully learned through our clients that the installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to success, yet woefully not enough. Our current tools provide a valuable look into the underground, where malware like Trickbot are bought and sold, and help support current protections with proactive underground indicators of compromise. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis for your organization.
Red Sky Alliance has been has analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports. Malware comes and goes, but often is dusted off and reappears in current campaigns.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or:
Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/8782169210544615949
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
[1] https://labs.bitdefender.com/2020/11/trickbot-is-dead-long-live-trickbot/
[2] https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/
[3] https://www.databreachtoday.com/microsoft-others-dismantle-trickbot-botnet-a-15156
[4] https://www.bankinfosecurity.com/updated-trickbot-malware-more-resilient-a-15449
Comments