With one of the biggest, most impactful elections in United States history just hours away, there is growing concern over voter fraud, rigged election results, and involvement from third parties influencing the results. Sadly, one of these has become reality as the Trickbot malware botnet was caught. Recently, an alliance of major tech companies organized an effort to take down the backend infrastructure of the TrickBot.
Companies fighting the good war against this bot include Microsoft’s Defender team, FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, and Broadcom’s cyber-security division Symantec. Even the U.S. government cyber security teams got in on the takedown. Prior to the attempted takedown the companies launched investigations into TrickBot’s backend infrastructure of servers and malware modules.
Over a period of months, the team of tech corporations collected more than 125,000 TrickBot malware samples, analyzed the content, and extracted mapping information about the malware’s inner workings, including all the servers the botnet used to control infected computers. With evident to back their claims, Microsoft went to court asking for legal rights to counterattack and for control over TrickBot servers.
However, even with some of the most advanced tech giants in the world firing a counterattack against the malware bot, it still hasn’t gone away. The TrickBot botnet has survived a takedown attempt. TrickBot command and control servers and domains have been taken and substituted with a new infrastructure. The Trickbot takedown has been described as temporary and limited but gives its current victims time to breathe until a more permanent solution can be implemented.
Even from the early planning phases, the tech companies anticipated TrickBot making a revival, and actually planned ahead for it. But why not kill it off all at once instead of just taking it out slowly. This multi-phased method to dismantling TrickBot is a result of the botnet’s complex infrastructure, much of which runs on bulletproof hosting systems, which are unresponsive or slow to react to takedown attempts.
Microsoft’s Victory in Court
Unbeknownst to many, the attempted take down of TrickBot played another role, one that could have ramifications long down the road. The court case that paved the way for the takedown also helped Microsoft set a new legal standard. In court, the tech giant argued that TrickBot’s malware abused Windows code for malicious purposes, against the terms of service of the standard Windows software development kit, on which all Windows apps are used.
Microsoft successfully argued that TrickBot was infringing on Microsoft’s copyright of its own code by copying and using its SDKs for unethical purposes.
Some have applauded Microsoft for this strategic legal maneuver. In the past, Microsoft had to present evidence to prove that the malware was causing financial damages to victims, which resulted in the long and laborious task of identifying and contacting victims. The new legal tactic Microsoft used in court focused on the misuse of its Windows SDK code. This method was easier to prove and argue, giving Microsoft’s legal team a more agile approach to going after malware groups. I wouldn’t be surprised to see Microsoft or other tech companies use the same approach in the future.
Microsoft and Cyber Command Working to Save the US Election
Microsoft was largely concerned that the masterminds behind Trickbot would use the botnet to upset the US election through ransomware. Attackers could lock down systems keeping voter rolls or reporting on election night results. When Microsoft began their investigations into the malware bot, it wasn’t expected to coincide with the US government’s own investigation. United States Cyber Command, the relative of the National Security Agency, had already started hacking TrickBot’s command and control servers around the world back in September. Microsoft only discovered this effort while launching its own.
In both investigations, the anti-TrickBot plans were meant to disrupt any possible Russian attacks during the next few critical days. However, it’s still not clear whether Russia intended to use Trickbot for a malware campaign, but this takes the option away before the vote on November 3rd.
The collaborative efforts of both Microsoft and government agency fast-tracked cyberconflict resolutions in the final days before the elections. Cyber Command, following a model it created in the 2018 midterm elections, kicked off a series of covert pre-emptive strikes on the Russian-speaking hackers it believes could interrupt the casting, counting and certifying of ballots on election day.
Trickbot and Malware as a Service (MaaS)
So now that we’ve gotten to the bottom of how the malware botnet was discovered and potentially thwarted enough to find by time to find a permanent solution, we can dive deeper into how the Trickbot operates.
The dual anti-threat efforts weren’t only dedicated to taking down TrickBot servers, which they knew would only be temporary, but also adding extra costs to TrickBot authors and delaying current malware operations. Additionally, security researchers also aimed to damage TrickBot’s reputation in cybercrime circles.
TrickBot is currently ranked as one of the Top 3 most successful Malware-as-a-Service (MaaS) operations in the cybercrime industry. The innovative bot uses email spam campaigns to infect computers, downloads its malware, and then steals data from infected hosts that it later resells for profit. Even more impressive is Trickbot’s ability to rent access to infected computers to other criminal groups, which makes a substantial amount of its revenues. The customers that rent this unauthorized access include infostealer trojans, BEC fraud groups, ransomware operators, and nation-state hacking groups.
A network bot like Trickbot that has potential to be disrupted risks revealing the operations of customers, most of which would prefer not to be exposed to law enforcement tracking. If Trickbot can be disrupted it would prove unreliable businesswise, especially for regular customers who are paying substantial fees to have access to infected systems at specific times.