Microsoft and a group of partners have taken down a Trickbot botnet, used to distribute COVID-19 spam and phishing scams and to provide malware as a service, the company recently announced.
The Trickbot botnet is also used to distribute ransomware, a growing threat to election-related organizations. Tom Burt, Microsoft’s corporate vice president for customer security and trust, wrote in a blog post: “Adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust.”
Criminals have also used the botnet to send spam and phishing emails purporting to be from the Black Lives Matter movement or containing information about the COVID-19 pandemic, Microsoft said. Trickbot, which has infected more than a million devices since late 2016, “has been the most prolific malware operation using COVID-19 themed lures,” Burt wrote.
Trickbot, which initially focused on stealing banking credentials when it first appeared, has also targeted government agencies, healthcare facilities, businesses, and universities, Microsoft said.
Before they took down the botnet, Microsoft and its partner, the Financial Services Information Sharing and Analysis Center (FS-ISAC), a cybersecurity intelligence-sharing group for the financial sector, also filed a lawsuit in the U.S. District Court for the Eastern District of Virginia against the unnamed operators of Trickbot. Among other things, Microsoft argued in court documents that the botnet violates the company’s copyright through the malicious use of its software code, a new legal argument for the company.
Judge Anthony Trenga has ordered nine data centers and providers identified by Microsoft and FS-ISAC as hosting Trickbot’s command-and-control servers to block botnet traffic and disable any servers used by the botnet.
The botnet’s takedown is an “important service” because of its potential to attack local and tribal governments as the United States heads toward its elections, said Chloe Messdaghi, vice president of strategy at Point3 Security.
“So many cities, towns, and tribal jurisdictions across the U.S. rely on outdated technology, including systems that have reached effective end-of-life, meaning that vendors no longer issue patches and security updates, leaving them even more vulnerable to the kinds of ransomware attacks spread by Trickbot,” Messdaghi said.
Attacks on government agencies can lead to disinformation and distrust about the election, she added.
“We won’t know what governmental systems and information, if any, that Trickbot actually captured, and it’s possible that nothing was taken that necessarily needs to be disclosed to the public,” she told the Washington Examiner. “But this is clearly a case of the public and private sectors taking direct and immediate action ahead of elections in order to tamp down potential problems and innuendo.”
Several other cybersecurity experts noted that Trickbot could have been used to attack the election even if there’s little evidence. Botnets can be used to overwhelm servers through denial-of-service attacks, said Jack Mannino, CEO at nVisium, an application security provider. Also, the Trickbot’s offering of ransomware as a service was a threat, he said.
“Ransomware as a service reduces the difficulty in maintaining ransomware infrastructure and launching attacks, evening the playing field for less skilled adversaries,” he said. “Groups can scale their ransomware operations by writing less code and requiring less technical expertise to deliver malware.”
Cybersecurity experts praised Microsoft for working with a group of partners to attack the botnet. In addition to FS-ISAC, NTT, Symantec, ESET, and Lumen’s Black Lotus Labs participated in the effort.
The joint effort “demonstrates to threat actors that they’re not just up against one single organization,” said Katie Teitler, senior analyst at TAG Cyber, a cybersecurity consulting firm. “The defense community is ready to use its collective efforts and threat information sharing to mitigate large-scale threats against our national infrastructure.”
