Mark Arena, CEO of Intel471, shared his team's analysis on Trickbot during the period from Sep 22, 2020 to Nov. 6, 2020. Trickbot has been active since Oct. 2016 and started as a bank trojan and evolved to Spyware and backdoor malware. Also, its target has been evolved from customers to corporates. Trickbot is stealthy and invisible to users, so the victims are unaware of the infection. The methods of infection are spam emails or malware as a service by providing framework to access victims computer.
On Sept. 22, 2020 U.S. Cyber Command modified several Trickbot configuration files that were sent by their C&C infrastructure. The goal was to disrupt the communication between bots and their control servers. However the actors maintained access to systems they already were engaged in their intrusion activity.
On Oct. 12, 2020 Microsoft announced their action against Trickbot by appealing to the court to order U.S. hosting companies that host Trickbot controller infrastructure to shut down the infrastructure. From Oct.13, 2020, to Nov. 1, 2020 Intel471 started noticing a significant amount of Trickbot's infrastructure was inoperable. Between Oc.28, 2020 and Nov. 6, 2020, Intel471 has not seen any new Trickbot infection campaigns.
In the recent Ryuk ransomware attacks, incident responders have reported that they saw a malware known as BazarLoader instead of Trickbot. BazarLoader is linked to the Trickbot operators in that it shared the infrastructure and code similarities. This indicates Trickbot continues to launch targeted ransomware attacks successfully despite the disruption of the Trickbot infrastructure.
In conclusion, U.S. Cyber Command and Microsoft action on Trickbot by disrupting Trickbot infrastructure caused the actors to spend time and effort setting up new infrastructure instead of impacting and ransoming victims. However, we are unsure actors will continue their operation using Trickbot or move entirely to BazarLoader. Nonetheless, we see a greenlight in that the Trickbot infrastructure disruption delayed the intrusion operations.
https://thecyberwire.com/podcasts/research-saturday/167/noteshttps://thecyberwire.com/podcasts/research-saturday/167/notes
No comments:
Post a Comment