Microsoft has stepped up its efforts to disrupt the Trickbot malware botnet after receiving permission to take on its network infrastructure.
Citing concerns of potential activity to disrupt the upcoming elections, Microsoft was granted approval from the U.S. District Court for the Eastern District of Virginia to disable online servers connected to the botnet.
“During the investigation that underpinned our case, we were able to identify operational details including the infrastructure Trickbot used to communicate with and control victim computers, the way infected computers talk with each other, and Trickbot’s mechanisms to evade detection and attempts to disrupt its operation,” Microsoft CVP of Customer Security and Trust Tom Burt announced on the company’s blog.
“With this evidence, the court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers.”
Trickbot was first identified by security researchers in 2016 as a Trojan-style malware program designed to steal bank account credentials, but rapidly evolved into a massive “malware-as-a-service” criminal enterprise. It is primarily spread via file attachments in email campaigns and is often used to infect computers and networks with ransomware.
“Based on the data we see through Microsoft Office 365 Advanced Threat Detection, Trickbot has been the most prolific malware operation using COVID-19 themed lures,” said Burt.
While the attack on Trickbot’s infrastructure has been disruptive, it’s unlikely to have taken the botnet offline permanently.
“We fully anticipate Trickbot’s operators will make efforts to revive their operations,” said Burt.