The TrickBot Trojan, one of the biggest malware threats to appear in recent years, has had its backend infrastructure taken down by a coalition of tech firms.

TrickBot started life in 2016 as a banking Trojan used to target Windows devices but the malware has received many updates over the years and has had many new modules added to give it a much wider range of capabilities. TrickBot targets hundreds of different banks and also steals credentials and Bitcoin wallets. In recent years, the operators have teamed up with several different criminal organizations and have used the Trojan to deliver keyloggers, cryptominers, information stealers and ransomware variants such as Ryuk and Conti. TrickBot can now perform a huge range of malicious actions via many different plugins and in January and February 2020 was targeting more than 600 websites via a webinject module, most of which being financial institutions.

The Trojan achieves persistence on infected devices and adds them to a botnet, which has grown into one of the largest in operation. The operators of the Trojan are also known to use the EternalBlue exploit to move around infected networks and spread the Trojan to other devices on the network. This can make removal of the Trojan difficult, as once it is removed from a device, other infected devices on the network simply reinfect it when it is reconnected.

TrickBot is primarily spread via phishing emails via malicious macros, but other malware-as-a-service operations also deliver TrickBot, such as Emotet. TrickBot typically used lures aimed at business users, such as shipment receipts, receipt reminders, required declarations, delivery notifications, and other logistics themes using Word and Excel attachments and Java Network Launch Protocol (.jnlp) attachments, as well as malicious hyperlinks embedded in emails. In 2020, a large-scale campaign was conducted using coronavirus and COVID-19 themed lures, one of which spoofed humanitarian groups and claimed to offer free COVID-19 tests.

Those emails were sent by a diverse range of compromised email accounts and marketing platforms, with the threat group also using domains with their own mail servers to distribute the malware. There has been growing concern that the botnet could also be used in campaigns to disrupt the upcoming November 3, 2020 U.S. presidential election.

TrickBot is stealthy and uses a variety of mechanisms to evade detection by security solutions, including password protected zip files, delayed downloads of the Trojan when macros are run, heavily obfuscated loaders, encryption of configuration files, and a complex command and control infrastructure. The latter has now been untangled and its backend infrastructure has been taken down.

Several tech firms including Microsoft, ESET, Black Lotus Labs, and NTT have been working together for months to try to disrupt the TrickBot operation. More than 125,000 samples of the TrickBot Trojan were analyzed along with over 40,000 configuration files used by various TrickBot modules. After several months of painstaking work, the command and control servers used by the botnet were identified and its network infrastructure was mapped. Armed with the IP addresses, Microsoft obtained a court order and seized control of the infrastructure of servers used to distribute and communicate with the malware and its various modules. The IP addresses associated with the malware have now been disabled.

When the takedown occurred, more than 1 million devices had been infected with the malware and were part of its botnet.  The takedown is great news, as one more malware threat – and a major one at that – has been taken out of action, at least temporarily. Efforts are now underway by ISPs to contact victims to ensure the Trojan is removed from their systems.