Application security, Application security

Microsoft and partners unite to target Trickbot infrastructure in legal takedown

Building 92 at Microsoft’s headquarters in Redmond, Washington. (Coolcaesar via CC BY-SA 4.0)

Microsoft announced Monday morning that it has obtained a court order to dismantle Trickbot, a notorious botnet composed of millions of devices that U.S. officials worry could be used to sabotage state and local election-related IT systems ahead of the 2020 Presidential election.

In a blog post Tom Burt, Microsoft’s vice president for customer security and trust, said the company obtained a court order allowing them to disrupt servers and infrastructure that allowed Trickbot operators to communicate with infected devices around the world.

“We disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world,” Burt wrote. “We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.

Microsoft’s defensive teams studied more than 61,000 samples of Trickbot malware used around the world and observed a number of infected computers as they interacted with operators to pinpoint the IP addresses used to issue commands.  The company also pulled together an international coalition of telecommunications providers and industrial partners, including ESET, Black Lotus Labs, NTT, Symantec and the Financial Services Information Sharing and Analysis Center to disable the IP addresses associated with the botnet, suspend services, deny access to any content on the servers and make it harder to Trickbot operators to purchase or lease new ones.

ESET said its researchers provided technical analysis, statistical information and details on known Trickbot infrastructure to Microsoft. They also collected “tens of thousands” of configuration files used by operators against different websites, giving ESET “an excellent viewpoint of the different command and control servers used by this botnet.” Black Lotus Labs and Symantec said they provided intelligence and supported Microsoft’s legal push in court to obtain a temporary restraining order.

“Complete eradication of this botnet will likely require additional actions from government partners in multiple jurisdictions,” Symantec’s threat hunter team wrote. “However, this action proves that successful private industry collaboration can be effective in countering cyber-crime and we hope that this set a new precedent for further initiatives.”

Microsoft used a new legal approach to persuade the U.S. District Court of Eastern Virginia to issue a restraining order for parts of Trickbot’s command and control infrastructure, claiming the group was violating copyright laws by repurposing Microsoft code for their criminal operations. The novel approach represents “an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place,” Burt said.

Trickbot’s ransomware as a service model has worried Microsoft and U.S. government officials that the botnet could be leveraged by a nation state or criminal group to attack state and local election infrastructure ahead of the 2020 U.S. presidential election. That fear spurred a sense of urgency to take action. Tge Washington Post reported that U.S. Cyber Command executed their own operations to disrupt the botnet around the same time.

However, Trickbot’s reach goes further than election systems. Originally started as a banking Trojan in 2016, its operators have shifted in recent years to a ransomware-as-a-service operation, meaning they infect as many devices and systems as possible and then sell that access to other criminal hacking groups to use for their own operations. Over the years it has targeted many other commercial and industrial sectors. Microsoft data indicates it has been one of the most prolific malware and phishing actors during the COVID-19 pandemic, targeting large and small enterprises and facilitating multiple campaigns from different clients at the same time.

“In addition to protecting election infrastructure from ransomware attacks, today’s action will protect a wide range of organizations including financial services institutions, government agencies, healthcare facilities, businesses and universities from the various malware infections Trickbot enabled,” Burt wrote.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.