Behind the scenes
“TheTrick” is one of the community names with which we can refer to a criminal group that is responsible for the development and distribution of many malware variants, among wich “TrickBot“, “Ryuk“, “Conti“, “BazarLoader” and “BazarBackdoor“.
However, the malware vector mainly used by this adversary is certainly “TrickBot“. TrickBot is a modular piece of malware designed to allow for the inclusion of different malicious features to a starting base. This feature makes it capable of carrying out a lot of activities such as downloading and executing additional payloads, data harvesting, reconnaissance of the victim’s local network, lateral movement etc. etc.
According to visibility of my research group, however, starting from 22 September 2020 someone tried to disrupt the TrickBot botnet pushing a new configuration file to infected hosts that reported the IP address “127.0.0.1” as new command-and-control server.
127.0.0.1 is the “localhost” and obviously it’s not routable.
Beyond this, the “version” reported in this bogus file has been set to a value probably used to prevent bots from downloading a new valid configuration.
At first it was impossible to know if this configuration file was pushed voluntarily by the threat actor itself [very unlikely], by white hats attempting to disrupt the botnet, by a security vendor or by some government unit.
Until the configuration is returned to its prior state, TrickBot infected machines have been be unable to communicate with the true TrickBot command-and-control servers. However, what was well understood within my research group (while trying to understand what was happening) is that the entity that was attempting to destroy the TrickBot network had a very good knowledge about the “internals” of this threat.
Finally, on 09 October 2020, The Washington Post revealed the mystery by reporting that the TrickBot disruption was the work of U.S. Cyber Command.
Botnet dismantled ?
For now it seems “No”. However, most likely this operation was not aimed at dismantling the Trickbot network permanently but instead at “…distract the adversary for at least a while as they seek to restore their operations…”. This is probably because “…the action was a bid to prevent Trickbot from being used to somehow interfere with the upcoming presidential election…”
Plausibly, operators behind TrickBot network already begun the full recovery of their network and losses. In addition, one of the potential counter-moves that the threat actor could put in place as retaliation for what happened could be an increase in money demands during ransomware-based operations.
In general, the threat landscape associated with this threat actor appears currently very lively. For example I recently came across a variant of Ryuk ransomware (associated with that group’s criminal ecosystem) compiled on September 11, 2020, suggesting a return of this after its development seemed to have been abandoned with the advent of “Conti“.
Very recently, moreover, another malware associated with the same criminal ecosystem, called BazarLoader, has been spread with practical no detection rates. Again I came across and reported on Twitter a variant of them with a detection rate of just 1/69 replying to a @James_inthe_box tweet. (https://twitter.com/James_inthe_box/status/1313523102312087553)
All of this to confirm that the group still seems very active and determined in their operations.
Microsoft, with the help of several ISPs around the world, took the TrickBot network down. Participants to operation obtained a court order to take down the TrickBot command and control servers thus avoiding poisoning the control and management mechanisms of agents.