Microsoft’s Trickbot Takedown Offers Lessons for Cybersecurity Pros

On a Monday morning earlier this month, unexpected news hit Redmond, WA:  Microsoft, along with several federal agencies and a handful of security firms, had dismantled the infrastructure behind Trickbot, a notorious botnet considered one of the world’s most malignant sources of cybercrime.

Since researchers first uncovered its presence in 2016, Trickbot has morphed from a banking Trojan into a versatile malware variant with worm-like capabilities that make it a potent botnet. The malicious code also acts as a dropper, meaning it can install or “drop” additional malware, including ransomware, onto endpoints, as well as push additional functional modules onto compromised devices.

Over the years, Trickbot has been associated with another dangerous botnet called Emotet, and the two have been combined to deliver Ryuk, a destructive ransomware variant used to encrypt files and exfiltrate data from organizations to force victims into paying ransoms.

For security analysts who have watched Trickbot grow over the years and become more dangerous, the fact that Microsoft used its considerable resources and clout with the U.S. court system to tackle this threat was welcome news.

“Since their announcement of intent to disrupt TrickBot operations, Microsoft, their partners, and the U.S. Cyber Command have been very effective in slowing it down,” Kacey Clark, a threat researcher at security firm Digital Shadows, told Dice. “In the meantime, Microsoft has stated that they ‘encourage others in the security community who believe in protecting the elections to join the effort and share their intelligence directly with hosting providers and ISPs that can take Trickbot’s infrastructure offline.’”

However, not everything went Microsoft’s way.

A few days after the announcement, security firm CrowdStrike published an analysis that found Trickbot’s activity had steadily increased after the Microsoft-led “takedown.” The cybercriminal gang behind the botnet had used its money and technical resources to quickly rebuild its infrastructure, the report added.

Microsoft then pushed out another update, saying its efforts had dismantled about 94 percent of Trickbot’s infrastructure, and that it would continue to target servers and compromised Internet of Things (IoT) devices that still support the botnet. While numbers may change daily, Redmond believes it’s making progress in keeping the malicious activity at bay.

“Our global coordination has allowed a provider to take quick action as soon as we notify them—in one case, in less than six minutes,” Tom Burt, Microsoft’s corporate vice president of customer security and trust, noted in an update. “What we’re seeing suggests Trickbot’s main focus has become setting up new infrastructure, rather than initiating fresh attacks, and it has had to turn elsewhere for operational help.”

Legally Yours

While other security firms have tracked and documented Trickbot over the years, Microsoft took a different approach to stop the botnet: The federal court system, specifically the U.S. District Court for the Eastern District of Virginia.

To start, Microsoft and its partners began documenting how Trickbot and its operators communicated with and controlled compromised devices, as well as the way infected computers talked to each other and the botnet’s mechanisms helped evade detection. This investigation would reveal the IP address of the servers and connected devices that served as the malware’s infrastructure.

This allowed Microsoft to present a case to a federal judge and petition the court to provide legal authority to shut down the servers and infrastructure. The company also argued that the operators of Trickbot violated the company’s copyrights, a unique legal strategy that Redmond has used to target malicious actors who use Microsoft logos and product names as part of their campaigns.

“Our case includes copyright claims against Trickbot’s malicious use of our software code,” Burt noted. “This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place.”

“This isn’t the first large-scale takedown effort that Microsoft has spearheaded—many of us remember their orchestrated takedown of the Necurs botnet in March 2020,” Clark added.

Brandon Hoffman, CISO at security firm Netenrich, notes that Microsoft’s campaign against Trickbot offers a lesson for how others should approach cybersecurity problems as they arise.

“This successful effort finally shows that when defenders collaborate, and most importantly, are not afraid or hindered from taking real action, progress can be made. It really is a shining example of success in a world mired in burned-out defenders and doubters,” Hoffman told Dice. “With the number of successful attacks continuously rising, and more technology and money are thrown at a problem with no end, the industry really needed a win.”

Mark Kedgley, the CTO at New Net Technologies, believes this approach to such far-reaching malware as Trickbot is better than individual organizations relying on security tools such as firewalls and anti-virus software (and their ingenuity) to stop threats.

“I hope that TrickBot reminds everyone how organized a malware operation can potentially be. This was, and still is, an operation on a global scale and available that had already been used to distribute and operate a range of banking trojans and ransomware attacks,” Kedgley told Dice. “If the hackers are this well-organized and resourced, then shouldn’t those tasked with defending corporate networks be raising their game, too? A thorough implementation of all foundational security controls—system hardening, vulnerability management, patching and change control is mandatory if you want to avoid being the next victim.”

Rocking the Vote

Another reason that Microsoft gave for taking action against Trickbot is that the botnet could have been used to deliver ransomware to U.S. government agencies and the country’s election infrastructure ahead of the Nov. 3 elections.

“As the United States government and independent experts have warned, ransomware is one of the largest threats to the upcoming elections,” Burt noted. “Adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust.”

While Trickbot is used for an array of cybercriminal activities, including ransomware, not everyone is convinced by Microsoft’s line of reasoning. In comments published at the time, Sean Gallagher, a senior threat researcher with Sophos, notes that most criminal gangs are after money when attacking government agencies, not politics.

“While any ransomware attack against election infrastructure would cause disruption, we haven’t seen ransomware gangs target election infrastructure, or even local governments, specifically for political effect in the past—they’ve been hit because of phishing attacks that were at most targeted to individuals based on public data and were otherwise opportunistic,” Gallagher said. “Ransomware poses a threat to all organizations, and ransomware operators are motivated by the money, not politics.”

Clark with Digital Shadows notes that, no matter what the motive behind Trickbot’s deployment, it’s better to have the botnet on the defensive rather than fully operational in the short time before Nov. 3.

“As the TrickBot takedown continues in the run-up to the US presidential election, seizing or disabling command-and-control infrastructure to cut off communication is crucial,” Clark said.