An infamous botnet and distributor of ransomware has been taken offline following a US court order, Microsoft has said.

Trickbot, which is estimated to have infected one million computing devices around the world since 2016, was disrupted following an order from the US District Court for the Eastern District of Virginia.

“We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems”

Tom Burt, Corporate Vice President, Customer Security & Trust, at Microsoft

The company says the action will protect US presidential election infrastructure, along with financial services institutions, government agencies, healthcare facilities, businesses and universities.

According to Microsoft, Trickbot has been the most prolific malware operation to have exploited Covid-19, as well as political movements including Black Lives Matter, to entice people to click on malicious links. It is also known for accessing online banking websites to steal funds from customers.

The disruptive move follows an intensive investigation by Microsoft and joint action alongside an international group of industry and telecommunications providers. Burt said: “Our Digital Crimes Unit (DCU) led investigation efforts including detection, analysis, telemetry, and reverse engineering, with additional data and insights to strengthen our legal case from a global network of partners”

Microsoft worked partners including FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT and Symantec, a division of Broadcom.

What is Trickbot?

Microsoft estimates that Trickbot has infected more than one million devices since it was first detected in 2016.

It was first spotted as a banking trojan used to steal password credentials, before evolving into a large botnet and a modular malware.

The Trickbot infrastructure was made available to cybercriminals who used the botnet as an entry point for human-operated campaigns, including attacks that steal credentials, exfiltrate data, and deploy additional payloads, most notably Ryuk ransomware which has targeted public institutions, in target networks.

It was typically delivered via email campaigns that used current events or financial lures to entice users to open malicious file attachments or click links to websites hosting the malicious files.

The identity of the operators is unknown, although it is believed they serve both nation-states and criminal networks.
Burt said: “What makes it so dangerous is that it has modular capabilities that constantly evolve, infecting victims for the operators’ purposes through a “malware-as-a-service” model.

“Its operators could provide their customers access to infected machines and offer them a delivery mechanism for many forms of malware, including ransomware. Beyond infecting end user computers, Trickbot has also infected a number of “Internet of Things” devices, such as routers, which has extended Trickbot’s reach into households and organizations.”

Trickbot has used spam and spear phishing techniques – in which content targeted to an individual is used to entice somebody to click – to distribute malware. It has exploited Black Lives Matter and Covid-19.

“When someone using a Trickbot-infected computer attempts to log onto a financial institutions website, Trickbot executes a series of activities to secretly hijack the user’s web browser, capture the person’s online financial login credentials and other personal information, and send that information to the criminal operators.

“People are unaware of Trickbot’s activity as the operators have designed it to hide itself. After Trickbot captures login credentials and personal information, operators use that information to access people’s bank accounts. People experience a normal login process and are typically unaware of the underlying surveillance and theft.”

Tom Burt, Corporate Vice President, Customer Security & Trust, at Microsoft