TrickBot
   HOME

TheInfoList



OR:

Trickbot is computer
malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
, a trojan for the
Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...
and other operating systems, and the cybercrime group behind this. Its major function was originally the theft of banking details and other credentials, but its operators have extended its capabilities to create a complete modular malware ecosystem. The Trickbot cybercrime organization is large and well-organized, with possible connections to Russian intelligence agencies.


Capabilities

Trickbot was first reported in October 2016. It is propagated by methods including executable programs, batch files, email phishing, Google Docs, and fake sexual harassment claims. The Web site Bleeping Computer has tracked the evolution of TrickBot from its start as a banking Trojan. Articles cover its extension to attack PayPal and business customer relationship management (CRM; June 2017),the addition of a self-spreading worm component (July 2017), coinbase.com, DKIM support to bypass email filters, steal Windows problem history, steal cookies (July 2019), targets security software such as
Microsoft Defender Microsoft Defender Antivirus (formerly Windows Defender) is an anti-malware component of Microsoft Windows. It was first released as a downloadable free anti-spyware program for Windows XP and was shipped with Windows Vista and Windows 7. It ha ...
to prevent its detection and removal (July 2019), steal Verizon Wireless, T-Mobile, and Sprint PIN codes by injecting code when accessing a Web site (August 2019), steal OpenSSH and OpenVPN keys (November 2019), spread malware through a network (January 2020), bypass Windows 10
UAC UAC may refer to: Computing * User Account Control, a security feature in Microsoft Windows * Session Initiation Protocol#User agent client Organizations * Ulster Army Council, 1973 Northern Ireland loyalist paramilitary group * Undeb Amaet ...
and steal Active Directory credentials (January 2020), use fake COVID-19 emails and news (since March 2020), bypass
Android Android may refer to: Science and technology * Android (robot), a humanoid robot or synthetic organism designed to imitate a human * Android (operating system), Google's mobile operating system ** Bugdroid, a Google mascot sometimes referred to ...
mobile two-factor authentication, checks whether it is being run in a virtual machine (by anti-malware experts; July 2020), infecting Linux systems (July 2020). TrickBot can provide other malware with access-as-a-service to infected systems, including Ryuk (January 2019) and
Conti Conti is an Italian surname. Geographical distribution As of 2014, 63.5% of all known bearers of the surname ''Conti'' were residents of Italy (frequency 1:756), 11.8% of the United States (1:24,071), 9.2% of Brazil (1:17,439), 6.3% of Argentina ...
ransomware Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off. While some simple ransomware may lock the system without damaging any files, ...
; the
Emotet Emotet is a malware strain and a cybercrime operation believed to be based in Ukraine. The malware, also known as Heodo, was first detected in 2014 and deemed one of the most prevalent threats of the decade. In 2021, the servers used for Emotet ...
spam Trojan is known to install TrickBot (July 2020). In 2021, IBM researchers reported that trickbot had been enhanced with features such as a creative mutex naming algorithm and an updated persistence mechanism.


Infections

On 27 September 2020, US hospitals and healthcare systems were shut down by a cyber attack using Ryuk ransomware. It is believed likely that the Emotet Trojan started the botnet infection by sending malicious email attachments during 2020. After some time, it would install TrickBot, which would then provide access to Ryuk. Despite the efforts to extinguish TrickBot, the FBI and two other American federal agencies warned on 29 October 2020 that they had "credible information of an increased and imminent cybercrime ansomwarethreat to US hospitals and healthcare providers" as COVID-19 cases were spiking. After the previous month's attacks, five hospitals had been attacked that week, and hundreds more were potential targets. Ryuk, seeded through TrickBot, was the method of attack.


Arrests

In August 2020, the Department of Justice issued arrest warrants for threat actors running the Trickbot botnet. In January 2021, an administrator of the virus distribution component of the Trickbot, Emotet, was arrested in Ukraine. In February 2021, ''Max'' (AKA: Alla Witte; Alla Klimova; Алла Климова;) a developer of Trickbot platform and ransomware components, was arrested.


Retaliation

From the end of September 2020, the TrickBot botnet was attacked by what is believed to be the
Cyber Command United States Cyber Command (USCYBERCOM) is one of the eleven unified combatant commands of the United States Department of Defense (DoD). It unifies the direction of cyberspace operations, strengthens DoD cyberspace capabilities, and integra ...
branch of the US Department of Defense and several security companies. A configuration file was delivered to systems infected by TrickBot that changed the
command and control server A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conn ...
address to 127.0.0.1 ( localhost, an address that cannot access the Internet). The efforts actually started several months earlier, with several disruptive actions. The project aims for long-term effects, gathering and carefully analyzing data from the botnet. An undisclosed number of C2 servers were also taken down by legal procedures to cut their communication with the bots at the hosting provider level. The action started after the US District Court for the Eastern District of Virginia granted Microsoft's request for a court order to stop TrickBot activity. The technical effort required is great; as part of the attack, ESET's automatic systems examined more than 125,000 Trickbot samples with over 40,000 configuration files for at least 28 individual plugins used by the malware to steal passwords, modify traffic, or self-propagate. The attacks would disrupt the TrickBot significantly, but it has fallback mechanisms to recover, with difficulty, computers removed from the botnet. It was reported that there was short-term disruption, but the botnet quickly recovered due to its infrastructure remaining intact. The US government considered ransomware to be a major threat to the 2020 US elections, as attacks can steal or encrypt voter information and election results, and impact election systems. On 20 October 2020, a security message on the Bleeping Computer website reported that the TrickBot operation was "on the brink of completely shutting down following efforts from an alliance of cybersecurity and hosting providers targeting the botnet's command and control servers", after the relatively ineffective disruptive actions earlier in the month. A coalition headed by Microsoft's Digital Crimes Unit (DCU) had a serious impact, although TrickBot continued to infect further computers. On 18 October, Microsoft stated that 94% of Trickbot's critical operational infrastructure - 120 out of 128 servers - had been eliminated. Some Trickbot servers remained active in Brazil, Colombia, Indonesia, and Kyrgyzstan. Constant action, both technical and legal, is required to prevent Trickbot from re-emerging due to its unique architecture. Although there was no evidence of TrickBot targeting the US election on 3 November 2020, intense efforts continued until that date.


See also

* Wizard Spider - group known to use the software


References

{{reflist Windows trojans Cyberattacks Cybercrime