Operation TrickBot: Community action paralyzes global eCrime network. ESET researchers supported the successful strike against a large TrickBot botnet.
The IT security industry strikes back: ESET researchers took part in a global operation against the TrickBot botnet, which has infected over a million computers since 2016. Together with Microsoft, Black Lotus Labs Threat Research from Lumen, NTT and other companies, the offensive has put the global eCrime network TrickBot under massive pressure. Thanks to the joint action, it was possible to carry out an important blow against the backbone of the cyber crime network and paralyze its command and control server. ESET contributed to the successful process with detailed technical analyzes, statistical information, domain names and IPs of the command and control servers. The world's largest botnet is best known for stealing login credentials and spreading banking Trojans. The latest findings also showed that the perpetrators have further expanded their eCrime portfolio and are using TrickBot as a transmission mechanism for more extensive attacks and far-reaching malicious code infiltration. These also included ransomware attacks on companies and organizations.
eCrime network active since 2016
ESET researchers have followed the activities of the global eCrime network TrickBot since it was first discovered in late 2016. In this alone, ESET has analyzed more than 125.000 new TrickBot computer malware with the help of its botnet tracker platform. In addition, more than 40.000 configuration files that were used in the various TrickBot modules could be downloaded and decrypted.
“We have been observing the TrickBot botnet for years and have repeatedly discovered its further developments. That makes it one of the largest and most durable networks of hijacked computers, ”explains Jean-Ian Boutin, head of ESET's research department. "In addition, TrickBot is one of the most widespread banking malware families and thus represents a serious threat to all Internet users."
Trickbot and Emotet as a duo
The malicious code was distributed very successfully in a wide variety of ways for years. The ESET security experts recently observed a new development: TrickBot was preferably installed on systems that were already infected with the well-known Emotet malicious code and were already part of its botnets. In the past, the operators used the TrickBot malware primarily as a banking Trojan. The aim was to steal access data from online bank accounts and to carry out fraudulent transfers. Recently there has been a new trend. The cyber criminals expanded their portfolio and used the existing eCrime infrastructure for targeted ransomware attacks on companies and organizations.
TrickBot infection methodology
One of the oldest plugins allows TrickBot to use so-called web injections. The technology enables the malware to dynamically change the appearance of websites when the user of an infected computer visits them. “By analyzing many TrickBot campaigns, we have identified tens of thousands of different configuration files. Therefore we know which websites the operators are targeting. Most of the URLs belonged to financial institutions,” adds Boutin. “Stopping the activities of the TrickBot botnet is extremely difficult. The perpetrators have a wide variety of fallback mechanisms at their disposal and are also well networked with other cybercriminal actors. Carrying out strikes against such networks are therefore highly complex operations.”
More on this at WeLiveSecurity on ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.