Buenos Aires, Argentina.-. The operation, coordinated between ESET, a leading company in proactive threat detection, Microsoft, Lumen’s Black Lotus Labs research center and NTT, among others, managed to disable Trickbot’s command and control servers. ESET participated in the technical analysis, providing statistical information and known IP and domain names of the command and control servers. Trickbot is a botnet known for stealing credentials on compromised computers, but in recent times it has also carried out more harmful attacks, such as those starring ransomware.
ESET has been tracking Trickbot’s activities since its detection in late 2016. In 2020 alone, ESET’s monitoring platform analyzed more than 125,000 malicious samples and downloaded and decrypted more than 40,000 configuration files used by the different Trickbot modules. This allowed the company to have an excellent overview of the command and control servers used by this botnet.
“Throughout all this time, Trickbot has been observed to compromise devices in a stable way, making it one of the longest-lived botnets,” explains Jean-Ian Boutin, Head of Threat Research at ESET. “Trickbot is one of the largest banking malware families and represents a threat to Internet users around the world.”
In its years of operation, Trickbot has been distributed in different ways. For example, Trickbot was recently seen being downloaded onto systems compromised by Emotet, another very important botnet. In the past, Trickbot was used primarily as a banking Trojan that stole bank accounts and intended to make fraudulent transfers. As ESET mentioned in its Threat Report for Q1 2020, Trickbot is one of the most prevalent banking malware families.
One of the oldest plugins developed for the platform allowed Trickbot to use web injection attacks, a technique that allows malware to dynamically make changes to specific pages that the victim visits. “Thanks to our analysis, we have collected tens of thousands of different configuration files, so we know well which web pages Trickbot was targeting, mainly financial institution webs,” adds Boutin.
What makes Trickbot so versatile is that its functionalities can be greatly expanded with plugins. Throughout the follow-up, ESET collected and analyzed 28 different plugins. Some intended to collect passwords from browsers, email clients, and a variety of applications, while others were able to modify network traffic or self-propagate.
“Trying to eliminate this threat is a real challenge, since it has many recovery mechanisms, and its connection with other very active actors in the criminal world makes the operation extremely complex”, concludes the ESET researcher.