Trickbot May Be Kaput, but Its Operators Plan on Keeping Busy

Trickbot May Be Kaput, but Its Operators Plan on Keeping Busy
Image: traffic_analyzer, Getty Images

Is Trickbot finally dead? Like dead-dead?

This week, a number of cybersecurity analysts noted that the notorious botnet’s servers had been shut down and many people seem to think it could be for good this time. Speculations as to the botnet’s demise are due in part to a perceived “big shift” for its operators, cybersecurity firm Intel471 wrote this week. That shift seems to include a pivot towards other criminal malware operations. Partially operating as malware-as-a-service operators, the hackers behind Trickbot are focused on selling access to high-quality criminal hacking tools. As such, they seem to be focusing on newer business endeavours, including the powerful trojan Emotet, and BazarLoader, a backdoor commonly used to aid in the execution of cyberattacks.”

For reference, botnets are basically large networks of “zombie” devices — computers that have been infected with special kinds of malware that allow them to be collectively controlled by cybercriminals. Resources from the infected devices are siphoned off and used to launch ransomware attacks, conduct cryptojacking and spam campaigns, and loads of other bad stuff.

Since its emergence in late 2016, Trickbot has been one of the most well-known and destructive botnets on the web. Having infected over a million devices, its malware has been leveraged by cybercrime groups to vaunt financial theft attacks all over the world. Trickbot is believed to be chiefly operated by a group called “Wizard Spider,” a prolific hacking squad based in St. Petersburg, Russia. Indeed, Spider is thought to be part of a broader “cyber-cartel,” the likes of which allegedly receives support from the Russian government.

Until recently, Trickbot was one of Wizard Spider’s most active and destructive cybercrime ventures. But, in October of 2020, the infrastructure supporting Trickbot was wounded by a series of actions taken by the Pentagon’s U.S. Cyber Command, as well as Microsoft. The operations involved USG hackers targeting Trickbot’s command-and-control servers while Microsoft used a court order to block the IP addresses of devices involved in the botnet’s operation. At the time, American officials were concerned that Trickbot could potentially be leveraged by the Russian government to disrupt the U.S. Presidential Election.

A recent report from Intel471 shows that Trickbot has exhibited less and less activity since the 2020 intervention — with its hacking campaigns slowing down to pretty much a standstill as of the end of last year:

Even as U.S. Cyber Command and Microsoft seized servers and the U.S. Department of Justice arrested several people alleged to be involved with the group that runs the malware, Trickbot stayed active throughout 2021 with various infection campaigns. These sporadic periods of activity have not continued into 2022. From December 28, 2021 until February 17, 2022, Intel 471 researchers have not seen new Trickbot campaigns. While there have been lulls from time-to-time, this long of a break can be considered unusual.

It should be noted, however, that while commentators may seem to be writing Trickbot’s obituaries, botnets have a habit of getting resurrected. Like digital vampires, they only need someone to turn the light switch back on, and, voila, they’re back in action, ready to cause havoc like nobody’s business.