EC News DeskESET researchers have participated in a global operation to disrupt the Trickbot botnet, which has, since 2016, infected over a million computing devices. Along with partners Microsoft, Lumen’s Black Lotus Labs Threat Research, NTT and others, the operation impacted Trickbot by tanking their command and control servers. ESET contributed to the effort with technical analysis, statistical information, and known command and control server domain names and IPs. Trickbot is known for stealing credentials from compromised computers and, more recently, has been observed mostly as a delivery mechanism for more damaging attacks, such as ransomware.
ESET Research has been tracking its activities since its initial detection in late 2016. In 2020 alone, ESET’s botnet tracker platform analysed more than 125,000 malicious samples and downloaded and decrypted more than 40,000 configuration files used by the different Trickbot modules, giving an excellent viewpoint of the different C&C servers used by this botnet.
Throughout its existence, this malware has been distributed in a number of ways. Recently, a chain we observed frequently is Trickbot being dropped on systems already compromised by Emotet, another large botnet. In the past, Trickbot malware was leveraged by its operators mostly as a banking trojan, stealing credentials from online bank accounts and trying to perform fraudulent transfers. One of the oldest plugins developed for the platform allows Trickbot to use web injects, a technique allowing the malware to dynamically change what the user of a compromised system sees when visiting specific websites.
“Over the years we’ve tracked it, Trickbot compromises have been reported in a steady manner, making it one of the largest and longest-lived botnets out there. Trickbot is one of the most prevalent banking malware families, and this malware strain represents a threat for internet users globally,” explains Jean-Ian Boutin, Head of Threat Research at ESET.
