TrickBot is back in action. This time the operators have returned with more power and enhanced tactics to disrupt their victims’ systems.
A quick recap
Earlier this month, Microsoft, in collaboration with ESET, Lumen’s Black Lotus Labs, NTT Ltd., and others, disrupted the backend infrastructure of TrickBot trojan in an orchestrated operation.
The operation was carried out just days after the U.S. military’s Cyber Command division carried out its own attack to take control over the attackers.
The 10-day operation involved stuffed millions of bogus records about new victims into the TrickBot database in a bid to confuse the botnet’s operators.
However, Microsoft analyzed 61,000 samples of TrickBot malware and identified the IP addresses for the command and control servers to disrupt the trojan.
Nonetheless, the TrickBot gang managed to rebound after takedown efforts.
TrickBot fights back despite the takedown
Despite a massive takedown effort, TrickBot bounced back to its usual rapid space.
In mid-October, Intel 471 researchers saw an update to the TrickBot plugin server configuration file. The update was observed in an Emotet campaign that leveraged spam templates for mass distribution.
However, researchers claimed that it was short-lived as the trojan could not make a connection with new control servers. Meanwhile, there were a few based in Brazil, Colombia, Indonesia, and Kyrgyzstan that responded to TrickBot bot requests.
Also, TrickBot adds a new variant
Following the takedown effort, TrickBot’s author moved a portion of the code to Linux to create a new variant of the trojan dubbed ‘Anchor_DNS’.
The attempt was made to widen the s ..
Support the originator by clicking the read the rest link below.
