Microsoft and a partnership of global telecoms providers have successfully disrupted a major botnet which had the potential to threaten the upcoming US election.
An investigation into the Trickbot network, led by Microsoft’s Digital Crimes Unit (DCU), identified the infrastructure used by the botnet to communicate with and control victim computers, the way infected computers talked with each other, and the way the malware evaded detection.
Trickbot is a network that acts as a malware dropper, a program designed to install other pieces of malicious code. Since 2016, it has spread from computer to computer, generally through spam emails, where it was designed to steal a victim’s credentials or provide access for criminals to download unwanted programs.
The programmers behind it have frequently updated it, adding new modules that install extra features, making it difficult to contain. They also control the botnet through a large, complex and distributed network of command-and-control servers, making Trickbot particularly hard to combat.
The botnet was then offered to hackers in a form of malware-as-service. It has been linked to the Ryuk ransomware program, which has been used since 2018. The gang behind Ryuk, WIZARD SPIDER, used Trickbot to get their malware on to targeted computers.
Microsoft estimated that over a million computing devices around the world had been infected by the botnet. “Trickbot is one of the most prolific malware operations in the world, churning out multiple campaigns in any given period,” the company said in a statement.
By tracking multiple Trickbot campaigns in June 2020 and analysing around 61,000 samples of the malware, Microsoft formed a plan to stop the botnet.
“As we observed the infected computers connect to and receive instructions from command and control servers, we were able to identify the precise IP addresses of those servers,” a Microsoft statement said.
- Leader Insights | Cybersecurity essentials with CISO Jordan Schroeder
- Ciaran Martin | Emerging cyber threats and their unintended consequences
- Microsoft moving to combat disinformation after rise of ‘deepfakes’
Using that evidence, Microsoft managed to receive an order from the US District Court for the Eastern District of Virginia to halt Trickbot operations by disabling the IP addresses. The company’s case included copyright claims against Trickbot as it makes use of Microsoft’s code.
This meant that the content stored on the command and control servers was made inaccessible, suspending all services to the botnet operators, and blocking any efforts to purchase or lease additional servers.
“We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems,” Microsoft said.
Because of the widespread and modular nature of Trickbot, it could have been used by a wide range of threat actors, from criminal gangs to nation-states, to deliver malware to many different systems. It could potentially have been a major vector for an attack on US voting infrastructure ahead of the 3rd November presidential election.
“In addition to protecting election infrastructure from ransomware attacks, today’s action will protect a wide range of organisations including financial services institutions, government agencies, healthcare facilities, businesses and universities from the various malware infections Trickbot enabled,” Microsoft said.