Microsoft and others orchestrate takedown of TrickBot botnet

FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, Symantec, and the Microsoft Defender team participated in the takedown.
Written by Catalin Cimpanu, Contributor



A coalition of tech companies has announced today a coordinated effort to take down the backend infrastructure of the TrickBot malware botnet.

Companies and organizations which participated in the takedown included Microsoft's Defender team, FS-ISACESETLumen's Black Lotus LabsNTT, and Broadcom's cyber-security division Symantec.

Preceding the takedown were investigations from all participants into TrickBot's backend infrastructure of servers and malware modules.

Microsoft, ESET, Symantec, and partners spent months collecting more than 125,000 TrickBot malware samples, analyzing their content, and extracting and mapping information about the malware's inner workings, including all the servers the botnet used to control infected computers and serve additional modules.

With this information in hand, Microsoft went to court this month and asked a judge to grant it control over TrickBot servers. Read a copy of the legal documents here.

"With this evidence, the court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the TrickBot operators to purchase or lease additional servers," Microsoft said in a press release today.

Efforts are now being taken together with internet service providers (ISPs) and computer emergency readiness teams (CERTs) around the world to notify all infected users.

TrickBot had infected more than one million computers

According to the coalition's members, the TrickBot botnet had infected more than one million computers at the time of its takedown. Some of these infected systems also included Internet of Things (IoT) devices.

The TrickBot botnet was one of today's biggest botnets.

The malware first started out in 2016 as a banking trojan before shifting into a multi-purpose malware downloader that infected systems and provided access to other criminal groups using a business model known as MaaS (Malware-as-a-Service).

Together with Emotet, the TrickBot botnet has been one of today's most active MaaS platforms, often renting access to infected computers to ransomware gangs such as Ryuk and Conti.

However, the TrickBot gang also deployed banking trojans and infostealer trojans, and also provided access to corporate networks for BEC scammers, industrial espionage gangs, and even nation-state actors.

This is the second major malware botnet that has been taken down this year after Necurs in March.

The success of this takedown is, however, yet to be seen. Many other botnets have survived similar takedowns in the past. The best example of this is the Kelihos botnet, which survived three takedown attempts, rebuilding from scratch and continuing to operate.

Updated on October 15 to add that the TrickBot botnet has survived the takedown attempt, but there are also good news for security firms as well.

Editorial standards