CyberWire Daily - Trickbot may be down, but can we count it out? [Research Saturday]
Episode Date: January 23, 2021Guest Mark Arena from Intel471 joins us to discuss his team's research into Trickbot and its evolution from a banking trojan to a long-standing, most likely well-resourced operation that was taken dow...n last year. Mark shares some insight into Trickbot's order of operations and what went on behind the scenes that his team working with Brian Krebs were able to discover. Since the separate and independent actions taken against Trickbot, Intel471 has observed successful disruption of its command and control infrastructure. However, the actors linked to Trickbot have not ceased their criminal activities. These actors have continued engaging in ransomware activity, using BazarLoader instead of Trickbot. Intel471 is unable to assess the long-term impact of the Trickbot disruption activity or whether Trickbot will continue to be used by cybercrime groups. This analysis covers the period from Sept. 22, 2020 until Nov. 6, 2020. The research can be found here: Trickbot down, but is it out? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting
ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Originally, it was a banking trojan, the banking trojan being target, you know,
compromise people's computers, capture their online banking credentials and then steal money out of their bank account.
That's Mark Arena. He's CEO at Intel 471.
The research we're discussing today is titled Trick Bot Down.
But is it out?
And now a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
ransomware attacks and a $75 million record payout in 2024, these traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily than
ever with AI tools. It's time to rethink your security. Zscaler Zero Trust plus AI stops
attackers by hiding your attack surface, making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com security.
As it kind of came, especially over the last year or two,
it's very much focused as a loader.
And a loader means, you know,
TrickBot itself isn't that bad on its own,
but it's what comes next, which can be really, really bad.
And the operators behind TrickBot are experts at triaging their infections.
They have no problem compromising huge numbers of organizations worldwide, probably in the
millions, I would say low millions.
And, you know, looking through those infections to find interesting, you know, whether you're
an organization, whether you're a government department, whether you're a bank, and either,
you know, doing follow-up intrusion activity themselves or providing it to other third parties,
whether they be nation states, cyber criminals, et cetera.
So we've been tracking TrickBot for a number of years now
from the technical side.
We've seen, we did some research into,
and interestingly enough, we were totally skeptical of it.
There were some public claims that TrickBot systems
that were compromised with TrickBot were being sold to the North Koreans.
And like I said, totally skeptical of that when we started looking at it.
And by the end, we were like, yes, this is definitely there.
And so we put out a public blog on that,
where it seems pretty clear that in a small number of cases
where some financial institutions have been hacked,
they've had those accesses provided or sold to the North Koreans
who have then done follow-up activity.
And so, yeah, it kind of led on from that.
And, you know, we saw an initial takedown
where it looked like somebody was trying to tell
all the TrickBot infected systems,
kind of cut off the connection between them
and these cyber criminals criminals malicious infrastructure.
And we worked with Brian Krebs on it
because it was quite a technical story
and Brian's very, very good at understanding
the technical aspects for cyber crime.
And yeah, based on working with Brian
and his story got published and referenced us,
then a number of other mainstream media,
Washington Post, New York Times,
reached out after folks we knew who said that,
you know, their sources had told us
that action was US Cyber Command.
And then we've been told, you know,
that it was an independent action around the same time
leading up to the elections,
an independent action, legal action by Microsoft
to take down the
infrastructure.
And so, yeah, we kind of started to look at that, what we, the alleged cyber command action,
and then it kind of linked in and kind of fell in with Microsoft action.
And everybody was asking the same question, which was, you know, what's happening with
TrickBot?
Right, right.
Yeah.
Well, before we dig into some of the details that you all have outlined here
when it comes to what Cyber Command allegedly did and also Microsoft,
do you have insights on TrickBot itself?
I mean, is it operationally, what is the kind of,
what's their order of operations?
You know, do they go out and get their hooks in people's systems and then go offer that up for sale?
Do they say, you know, hey, we have these types of systems available and for a price we'll give you access to them?
Or do they take a custom order from someone?
Someone says, you know, we'd really like to have access to these kinds of systems.
Can you go out and provide that? Or is any insights on how they go about it?
Yeah, I think it's probably all of the above what you described. Like this is a professionally run
managed service, cybercrime as a service. And I'm sure there's members of the group
that are doing intrusions and ransomware organizations. They're probably buying
access into organizations
from the underground to the cybercriminal underground.
People call it the deep and dark web,
although I hate that term,
but they're probably doing that.
They're probably buying installs from other cybercriminals.
So installs being there's other groups
which are just focused on getting initial infections on systems
and then selling them,
be like, oh, you want a thousand compromised systems from the US
or from Western Europe or from the Netherlands, for example,
and just selling bulk installs of compromised systems like that.
And then they're doing what you just said,
is selling off access to different people, custom or otherwise.
So yeah, it is a very long-standing operation,
probably very, very,
very well-resourced. Probably no different to us. We're a well-resourced intelligence vendor,
and they're the opposition, and there's no doubt they're well-resourced as well.
Yeah. Can you give us some idea of what's going on behind the scenes in terms of the scale of the infrastructure? When TrickBot was up and
running before folks came in and tried to interfere with them, how large were they and what was the
types of systems they had? What was going on with their command and control servers, that sort of
thing? Yeah, so as a whole, the focus up until the takedown seemed to be mostly ransoming
organizations.
So small and mid-sized organizations, they have initial access and they either do it
themselves or they provide it to a third party hacker or a third party group of cyber criminals
who would then look to move within a compromised network or within a compromised organization.
Almost they want to try and get at the domain controller.
So that's the system which controls all the other systems.
Because if they have access to that, they can then push out an update,
which then installs ransomware on all the systems.
So that was kind of the objective.
From an infrastructure perspective, they used a lot of what we think is hacked routers. So there was a company called MicroTik,
I think is how you pronounce them.
MicroTik hacked MicroTik routers.
You can basically, there was a vulnerability.
It's been patched for quite a while,
but a lot of people's routers all over the world
have not been patched.
And they were basically scanning and exploiting them.
And they used that as their initial point. very much made microsoft's job um very difficult in taking down the infrastructure
because it was in all over the world you know they had you know these routers which act as the
first layer where compromised systems will connect to we're in places like brazil indonesia columbia
kyrgyzstan, former Soviet Union countries.
So very dispersed and a lot of them.
So that made things difficult with Microsoft's takedown, certainly.
Well, let's walk through the takedown,
starting with the one that folks seem to think came from U.S. Cyber Command.
I mean, that began back towards the end of September.
What exactly did they reach out and do?
Sure.
So each TrickBot infection has a configuration,
and the configuration says connect to these places.
This is where you connect to receive commands.
So compromised systems receive commands from the bad guys.
Those commands typically come from those compromised micro-tick routers who forward basically a forwarder to the the real bad guy's
servers. So that was happening and we saw an update pushed that had the IP address
127.0.0.1 which is the loopback IP address. So the objective was really
you know push this update to all the infected systems so the infected systems try and connect to themselves only.
So by effectively, you can cut the head off the snake,
we can go after the server,
we can go after all the snakes at the bottom,
who are the infected systems,
and that's what the objective was.
So for a period of time,
every TrickBot infected system that had been turned on and
connected to the command and control server received an update,
which severed that connection.
So that was the alleged to be US Cyber Command's action.
And they did it a couple of times over a couple of week period as well.
And in the first instance, the bad guys changed the configuration back
pretty quickly.
And the second one, I think, was about 24 hours
where it took for them to change the configuration back.
Now, is this a situation where, you know,
I know with a lot of botnets,
the systems that are part of the botnet,
they go about their day-to-day business
still performing their primary functions.
And so the folks who have these systems,
in this case, as you said, these micro-tick routers,
they may not know that they've been infected.
Was that the case here?
And with the push that Cyber Command did, could that have affected their primary functionality?
The push that Cyber Command did was the infected Windows systems.
So it wasn't so much targeted at the micro-tick routers.
I mean, effectively,
they're still infected, right? So the impact, you know, and like a number of years ago, the Dutch high-tech crime unit, the Dutch police, were taking on a same thing, some criminal malware,
and they took over the infrastructure. And rather than kind of severing the connection,
which is what US SAVA command did, they deleted the malware from all the infected systems, globally. If
you really look at it from a legal perspective, depending on the country, you would say the
Dutch police basically broke the law because they modified somebody's data, data on somebody's
system without permission. And so that's what happened in the past. They took a lot of flak
for it. Probably, you know, whether you agree with it or not,
that's what they did.
And so US Cyber Command didn't do that.
They didn't delete it.
All they did was push their configuration update
to sever that connection.
So effectively, they're still infected
with the TrickBot malware,
but obviously with the connection severed,
the criminals wouldn't be able to do the next stage things,
which is what they've been doing,
which was, you know, follow our ransomware activity, for example.
Yeah, that's fascinating. It makes me think about how, you know, as a kid, you can get chicken pox and then, you know, not have it for the rest of your life. But some people as adults
get shingles, you know, it's lurking in your system and it may be benign, hopefully for the
rest of your life, but I suppose who knows, right who knows right yeah definitely and i think that's going forward you know it's super
interesting to have the u.s military basically going after a criminal group a cyber criminal
group i guess the damage the economic damage of these attacks has reached a level you know if you
make enough if you target a country enough and you take enough money from them, at some point it's a national security risk.
And I'm guessing U.S. Cyber Command, coming up into the U.S. election, saw that.
And I'm hoping it's something that goes forward in future.
Because I think the impact of cybercrime on the economies of Western countries is huge and only getting worse.
is huge and only getting worse.
So moving on, then in October,
Microsoft joins in and they take their own action against TrickBot.
What is it that they did?
Yeah, so their focus was very much
on that infrastructure themselves.
So those microchip routers
that the criminals had compromised,
they were looking to get those taken down.
They did court action within the US
to physically take over the infrastructure or They did court action within the US to take over,
like physically take over the infrastructure or kill the IP addresses in the US.
At the start, I'd say it was a slow start. Like it didn't really impact the criminals too much.
But I think as it kind of went in and it was pretty clear that they were, you know, going
pretty hard resources wise globally. And a couple of weeks into it, as it led up to the election,
they were definitely disrupting the cyber criminals running TrickBot.
And I think, you know, the number one goal for everybody
when it comes to cybercrime should be arrests and war enforcement action.
If you can't do that, I think it's likely these actors
are protected in Russia by the Russian government.
So I think this is the next best thing. And I think for that
period of time leading up to the election, I think eventually they were successful in disrupting
their trick bot operations. Now, this notion that U.S. Cyber Command and Microsoft were
operating independently and coincidentally came after the same thing right around the same time,
and coincidentally came after the same thing right around the same time.
Does that seem plausible to you?
It's a hard question to answer because I've been told by multiple people that it wasn't coordinated.
But I mean, it's a massive coincidence if it wasn't.
Right, right.
So I've got no information that would say that it was coordinated at all.
Yeah.
Yeah.
Yeah, but it is an interesting coincidence at the same time, right?
Definitely, yes.
Yeah, yeah.
Well, where do we find ourselves today then?
What's the state of TrickBot?
Yeah, I think, you know, as a result,
they've made some changes to make it harder to track them.
You know, nothing is not insurmountable or anything, but they've made some changes to make it harder to track them. Nothing is not insurmountable or anything,
but they have made some technical changes.
Almost, I'd say it's almost, if not back to business as usual for them.
Like I said, I think there was a huge amount of resources
from the Microsoft side.
Maybe you can get them to comment,
but I think maybe there was a huge amount that couldn't be kept up,
but it was kept up until the elections,
the US presidential elections. But yeah, from our perspective, it looks like it's close to,
if not at, business as usual for the trip that operated.
It's interesting, as you kind of mentioned, you know, to think about this as a demonstration of
capabilities on the good guys side, you know, leading up to the election to say, you know,
here's what we can do in a very sort of public way? Yeah, I mean, I think it was, like I said,
I think they could probably do more. And I think it was definitely like a shot across the bow.
Whether they receive it or not, I'm not sure. I mean, the reality is they're safe where they are currently,
like they're physically safe.
Unless there's a policy change on the Russian government level,
which is unlikely to happen anytime soon.
Right.
You know, there's certain limits on what we can do.
But like I said, back to my original thing,
I think the damage, the economic damage,
what they're leading towards,
especially with the ransomware type attacks, to all different organizations of all sizes.
If you hit an economy hard enough and the impact is big enough, I think you're a national security risk.
And at that point, I think gloves are off and I think it's heading that direction.
Our thanks to Mark Arena from Intel 471 for joining us.
The research is titled Trick Bot Down, but is it out?
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios
of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening.