Microsoft announced on Monday that it has led a major offensive operation to take down the backend infrastructure of the notorious TrickBot malware botnet that uses over 1 million infected systems to spread ransomware and steal financial and personal data of people.
TrickBot malware activities were first recorded by the researchers in 2016. At that time, it was observed to be functioning as a banking Trojan that attempted to steal sensitive information from target organisations.
The modular nature of TrickBot means it can be easily modified to perform various types of malicious activities. This is also the main reason behind TrickBot becoming one of the most sophisticated and capable malware delivery mechanisms in the world.
According to Microsoft, its security teams and partners spent several months collecting thousands of TrickBot malware samples and tracking the infrastructure that TrickBot used to communicate with infected systems. A detailed analysis of malware samples and other information enabled researchers to learn the IP addresses of command-and-control (C2) servers that cyber actors were using to control the botnet.
Firms that partnered with Microsoft Defender team in the coordinated operation to knock offline the C2 servers for TrickBot included ESET, Symantec, Lumen's Black Lotus Labs, FS-ISAC and NTT.
With all evidence in hand, Microsoft approached the US District Court for the Eastern District of Virginia, and requested the judge grant it permission to seize control of the TrickBot servers. Microsoft argued that the cybercriminals were abusing its trademark.
On 6th October, the court grave approval for Microsoft and its partners to disable C2 servers used by TrickBot operators. The court also ordered the suspension of all services being offered to Trickbot operators and the blocking of any effort by them to lease or purchase additional servers.
Tom Burt, Microsoft's corporate vice president for customer security and trust, said in a blog post that Microsoft and its partners have now cut off key infrastructure, preventing the TrickBot operators from using it to distribute TrickBot malware or activate deployed payloads like ransomware.
The announcement follows a major effort by the US Cyber Command to dismantle TrickBot with direct attacks.
The news of the TrickBot network disruption also comes at the time when American officials have been making preparations for the US presidential election next month.
The US Department of Homeland Security officials list ransomware as a major threat to the IT networks that support the elections. They fear that cyber actors could try to knock out voter registration systems in states, disrupt voting process or take down result-reporting websites.
Microsoft also believes that while TrickBot may not necessarily change the result of the election, it could damage confidence in election systems if they're breached.
The attacks have been ongoing since 2018
Because UEFI lives within a flash memory chip, any malware injected into it can survive reboots, formats and OS reinstalls
Microsoft is again urging IT admins to patch their systems to protect data from hackers
A failure to curb the growing problem of misinformation could have serious repercussions for the Internet and for society as a whole
The number of ransomware attacks in the second quarter of 2020 was around three times higher than in Q1