The operation, coordinated between, ESET, Microsoft, the research center Black Lotus Labs of Lumen Y NTT, among others, managed to deactivate the command and control servers Trick bot. ESET participated in the technical analysis, providing statistical information and known IP and domain names of the command and control servers. Trickbot is a botnet known for stealing credentials on compromised computers, but in recent times it has also carried out more harmful attacks, such as those carried out by ransomware.
ESET has been monitoring Trickbot’s activities since its detection in late 2016. In 2020 alone, the ESET’s monitoring platform analyzed more than 125,000 malicious samples and downloaded and decrypted more than 40,000 configuration files used by the different Trickbot modules. This allowed the company have an excellent overview of the command and control servers used by this botnet.
“Throughout all this time, Trickbot has been observed to compromise devices in a stable, making it one of the longest-lived botnets“, Explain Jean-Ian Boutin, responsible of Threat investigation at ESET. “Trickbot is one of the most important banking malware families and represents a threat to Internet users around the world”.
Figure 1. Trickbot detections worldwide between October 2019 and October 2020
In its years of operation, Trickbot has been distributed in different ways. For example, Trickbot was recently observed to be downloaded on systems compromised by Emotet, other very important botnet. In the past, Trickbot was used primarily as a banking Trojan that he stole bank accounts and that he intended to make fraudulent transfers. As ESET mentioned in its Threat Report for Q1 2020, Trickbot is one of the families most prevalent banking malware.
One of the oldest plugins developed for the platform allowed Trickbot to use web injection attacks, a technique that allows malware to dynamically make changes to some specific pages that the victim visits. “Thanks to our analysis, we have compiled dozens of thousands of different configuration files, so we know well which web pages Trickbot had as an objective, mainly websites of financial entities”Adds Boutin.
Figure 2. Number of targeted websites in 2020
Which makes that Trick bot is so versatile is that its functionalities can be greatly expanded with plugins. Throughout the follow-up, ESET collected and analyzed 28 different plugins. Some destined to collect passwords from browsers, email clients and a variety of applications, while others could modify network traffic or self-propagate.
“Trying to eliminate this threat is a real challenge, since it has many recovery mechanisms, and its connection with other very active actors in the criminal world makes the operation extremely complex.”Concludes the ESET researcher.
For more information, ESET brings the ransomware guide; a document that explains everything about this type of malicious code. Also, share the kit Anti-Ransomware with information on the threat and prevention measures: https://www.eset-la.com/kit-Antiransomware
In addition, in the context of isolation by COVID-19, ESET experts approach materials educational and useful tools to increase the security of companies. Through guides and articles, they explain how the current situation leads to new challenges and what are the benefits that can be get from it. In addition, from ESET, they bet on Safe Telecommuting offering users the ability to download free infographics, guides and checklist for IT administrators, as well as requesting free licenses to test their double authentication solutions, protection for endpoints and remote administration.