Resilient Trickbot down but not yet knocked out

Threat hunters continue to wage war on the operators of Trickbot, a Russia-based cyber criminal group known as Wizard Spider, a week after a global coalition spearheaded by Microsoft succeeded in causing substantial disruption to the infamous ransomware distribution botnet.

According to Intel 471, patched variants of Trickbot were spotted in the wild within 48 hours of the initial takedown. The firm’s COO, Jason Passwaters, described it as “another round in the back and forth between Trickbot’s operators and the separate parties that have attempted to disrupt the botnet’s actions”.

Passwaters said this showed how resilient an operation Trickbot was and how its operators have thought about their own security and IT support, just as an enterprise IT team should, taking into account continuity planning, the need for backups, and so on. He said this would be a recurring challenge to those seeking to take Trickbot offline for good.

“About 10 years ago, it was much easier to completely take over or significantly disrupt a botnet, but cyber criminals are students of takedowns and have learned to make their operations more resilient to takedown efforts,” said Passwaters.

“That’s why every takedown attempt has some potential of giving ground to the adversary. You’re teaching them where the weaknesses in their armour are and they have a team of developers ready to act on that information. So unless you strike a killing blow, you’re not going to impact them long term.”

Crowdstrike researchers said they had seen more than a dozen confirmed attacks identified using Wizard Spider’s preferred ransomwares – Conti and Ryuk – since the disruption to Trickbot began, and said there had undoubtedly been some short-term impact on the network, but that the group had responded quickly, effectively and efficiently.

“Wizard Spider, with its diverse and effective toolset, has proven to be a highly capable adversary and continues to be resilient, reactive and resolute as they continue to run their formidable criminal enterprise,” its intel team wrote in an update posted on Friday 16 October.

“The resilience of advanced criminal threat actors like Wizard Spider make it increasingly important that we, as an industry, continue to fight back. Any attempt to increase the cost for the criminals contributes to a more secure cyber space.”

In a subsequent update, Intel 471’s observers again said they saw new samples of Trickbot being distributed via Emotet on 19 October.

The sample included a list of command and control (C2) servers as part of its configuration. These servers were located variously in Bosnia and Herzegovina, Germany, the Netherlands, Romania, Turkmenistan and the US. However, none of them were responding to Trickbot bot requests, suggesting that successful disruption operations are continuing on a global basis.

Nevertheless, there are still working Trickbot C2 servers located in a number of jurisdictions, including Brazil, Colombia, Indonesia and Kyrgyzstan, although according to ESET, which took part in Microsoft’s coalition, samples in the wild still remain well below their previous detection numbers.

More information on Trickbot, including advice on proactive mitigations that security teams can take right away, is available from the UK’s National Cyber Security Centre.