Microsoft provided an update on its takedown efforts and announced a new wave of takedown actions against TrickBot.
According to the IT giant, the operation carried out last week has brought down 94% of the servers that make up the Trickbot infrastructure. Trickbot enables ransomware attacks that have been identified as one of the biggest threats to the upcoming US elections.
“We initially identified 69 servers around the world that were critical to Trickbot’s operations and disabled 62 of them. The remaining seven servers are not traditional command and control servers, but rather Internet of Things (IoT) devices that Trickbot infected and was using as part of its server infrastructure; these are in the process of being disabled. Unsurprisingly, criminals operating Trickbot rushed to replace the infrastructure that we initially disabled. We are closely monitoring this activity and identified 59 new servers that they tried to add to their infrastructure. “Said Tom Burt, CVP of Security and Customer Trust at Microsoft.” We have now disabled all but one of these new servers. In summary, since When we started our operation until October 18, we have eliminated 120 of the 128 servers that we identify as Trickbot infrastructure worldwide. “
Microsoft has removed 120 of the 128 servers that made up the Trickbot infrastructure.
Microsoft announced that it had removed 62 of the original 69 TrickBot C&C servers, seven servers that could not be shut down last week were Internet of Things (IoT) devices.
Microsoft also revealed that the operators tried to resume operations. The company shut down 58 of the 59 servers that operators tried to bring online after the recent shutdown.
Burt praised the role of Microsoft attorneys who quickly requested new court orders to remove the new servers set up by Trickbot’s operators in response to the removal.
“We identify new Trickbot servers, locate their respective hosting provider, determine the proper legal methodology to take action, and completely disable those servers in less than three hours. Our global coordination has allowed a supplier to act quickly as soon as we notify them, in one case, in less than six minutes ”. continues the expert. “What we are seeing suggests that Trickbot’s primary focus has become creating new infrastructure, rather than launching new attacks, and it has had to seek operational help elsewhere.”
Currently some Trickbot C2 servers are still active and are being used by operators to control the botnet. Researchers at cybersecurity company Intel 471 reported that these servers are based in Brazil, Colombia, Indonesia, and Kyrgyzstan, and that they can still respond to requests for bots from Trickbot.
“This small number of live monitoring servers was not included in the most recent Trickbot distributed sample.” claims Intel 471.
Burt noted that TrickBot operators are working to restore their infrastructure rather than carry out new attacks.
“We hope that Trickbot operators will continue to look for ways to stay operational, and we and our partners will continue to monitor and take action.” Microsoft concludes. “We encourage other members of the security community who believe in protecting elections to join the effort and share their intelligence directly with hosting providers and ISPs who may take Trickbot’s infrastructure offline.”
Source : Security affairs