The TrickBot botnet appears to have resumed normal operations days after Microsoft announced that it managed to take it down using legal means.
On October 12, Microsoft and several partners announced that they were able to disrupt the TrickBot infrastructure by legally disabling IP addresses, making servers inaccessible and suspending services employed by the botnet. The effort was also aimed at preventing operators from registering new infrastructure.
Only three days after the announcement, however, security researchers with Intel 471 revealed that the botnet has resumed operations, despite Microsoft’s takedown attempt and efforts from the U.S. Cyber Command to hack TrickBot’s servers.
On October 14, the Emotet botnet began distributing malicious Word documents meant to download and execute a copy of Emotet. The Emotet bots, the researchers say, received commands to fetch and run Trickbot on victim machines.
Intel 471 also notes that the Trickbot plugin server configuration file has received an update which added fifteen server addresses and retained two old servers, along with the server’s .onion address.
The change, the researchers believe, was likely performed as a fix that would ensure that the botnet’s infrastructure remains operational.
“The fact that Trickbot has resumed normal operations despite the best efforts of U.S. Cyber Command and Microsoft shows how resilient of an operation Trickbot is and how much more effort is needed to fully take the botnet offline for good,” Intel 471 said.
The researchers, who have been tracking the botnet’s activity for months, assess that TrickBot’s operators have IT support that any legitimate enterprise takes advantage of, including automated deployment, backups, continuity planning, and a dedicated team behind, which allows them to react to disruptions fast.
“About 10 years ago it was much easier to completely take over or significantly disrupt a botnet, but cybercriminals are students of takedowns and have learned to make their operations more resilient to takedown efforts. That’s why every takedown attempt has some potential of giving ground to the adversary. You’re teaching them where the weaknesses in their armor are and they have a team of developers ready to act on that information. So unless you strike a killing blow, you’re not going to impact them long term,” Intel 471 COO Jason Passwaters said.
To fully disrupt TrickBot, the researchers say, a multi-prolonged effort is needed. Multinational law enforcement support with focus on arresting operators, an aim at the botnet’s main infrastructure, and tight collaboration between governments and the private sector for de-infection are required for a successful takedown.