Trickbot Rebounds After 'Takedown'CrowdStrike: Botnet's Activity Has Already Picked Up
The recent “takedown” of Trickbot by Microsoft and others had only a temporary effect; the botnet’s activity levels have already rebounded, according to CrowdStrike and other security firms.
"The botnet was disrupted using configuration files; the impact was minimal in terms of length as we observed legitimate configurations pick back up relatively quickly," Adam Meyers, senior vice president of intelligence at CrowdStrike, tells Information Security Media Group.
Malwarebytes offers a similar assessment.
"So far, we have not yet seen the same levels as we did in early September, but we can confirm that TrickBot is almost as prevalent right now," says Jerome Segura, director of threat intelligence at Malwarebytes.
Some of those involved in the operation against Trickbot did not believe the malicious network was entirely destroyed and said it likely would rebound (see: Analysis: Will Trickbot Takedown Impact Be Temporary?).
For example, Kevin Haley, director of security response at Symantec, a division of Broadcom, had predicted that Wizard Spider, the cybercrime group credited with developing and being the distributor and primary operator of Trickbot, would use its deep pockets and resources to revive its botnet.
CrowdStrike and the FBI say that Wizard Spider has long been using the botnet to spread Ryuk ransomware, which has caused more than $61 million in losses from victims since September 2018.
CrowdStrike's analysis shows a severe – but temporary - dip in activity as a result of the disruption activity by Microsoft, U.S. Cyber Command and others.
CrowdStrike was able to view the initial denigration of the botnet. The report notes that on Sept. 21 and Sept. 22, CrowdStrike Intelligence observed a nonstandard configuration file being distributed to computers infected with Trickbot. The configuration files instructed infected hosts to communicate with the command-and-control server address 0.0.0.1 on TCP port 1.
The nonstandard configurations being downloaded were due to the actions of Microsoft, which had received a court order allowing it to take over Trickbot's servers in the U.S. Essentially, Microsoft told the servers to redirect their actions away from Wizard Spider, removing its ability to control the botnet.
"Since the disruption operation began on September 21, 2020, we observed a definite impact on the TrickBot network, with almost 10,000 unique downloads of the non-standard configuration identified," CrowdStrike says. “However, in spite of this, TrickBot activity has returned to its usual rapid pace, and the impact of the disruption operation was manifested as a short-term setback for Wizard Spider.” (See: Microsoft, Others Dismantle Trickbot Botnet).
Trickbot's Long-Term Prognosis
CrowdStrike researchers called the takedown operation a "valiant" effort that had a short-term impact. But the cyber gang's diverse and effective toolset enables it to be resilient, reactive and resolute as it continues to run its formidable global criminal enterprise, the researchers say.
One longer-lasting result of Microsoft’s action against Trickbot is a drop in the number of malware modules deployed by Wizard Spider onto captured devices - even though the gang has spent the last week collecting and configuring more devices, CrowdStrike reports.
"The modules are deployed during operations; they may have backed off deploying modules as they reclaimed their botnet. We have also observed periods where the modules weren't deployed for a variety of reasons," Meyers says.
Wizard Spider's Other Efforts
CrowdStrike also reports that Trickbot has been switching to BazarLoader as its primary delivery mechanism, updating Ryuk ransomware and starting to more frequently depend on Conti ransomware to conduct its attacks.
CrowdStrike and the FBI say Wizard Spider has used Ryuk to steal more than $61 million from ransomware victims since it was introduced in September 2018. From March to September, however, the group ceased using Ryuk and switched over to Conti ransomware, according to the CrowdStrike report.
Wizard Spider temporarily halted the use of Ryuk so it could attempt to update the malware, the researchers say. But the changes made were minimal.
"The functionality has remained overall static since introducing features for targeting hosts on a local area network,” CrowdStrike notes. “The most notable change to Ryuk is the introduction of code obfuscation. The code obfuscations appear to be designed to slow down the reverse engineering process by using anti-disassembly and code transformation obfuscation techniques.”
But this change has had a limited impact. CrowdStrike notes Ryuk lags behind Conti, which, when combined with BazarLoader, has superior obfuscation capabilities.
"It is possible that Conti and Ryuk may continue to be used simultaneously by Wizard Spider, with either one being deployed depending on particular characteristics of the victim organization,” the CrowdStrike report states. “What is clear is that Wizard Spider is now running multiple ransomware operations.”
While Wizard Spider's Ryuk operation was on hiatus, its use of Conti was taking off, CrowdStrike says. The gang rolled out Conti in August and added a data leak site to its repertoire to support extortion efforts. So far, CrowdStrike estimates, 120 networks have been hit with Conti and have had their data listed on the Conti data leak site.
"Conti victims span multiple sectors and geographies, the vast majority of which are based in North America and Europe. This opportunistic targeting is indicative of Wizard Spider and wider ransomware operations," the report states.
Wizard Spider's ability to adapt on the fly is also on display with its Conti operation. Since the ransomware's launch, the gang has shifted from fully encrypting files with AES 256 to using what CrowdStrike calls a more strategic and efficient approach of selectively encrypting files with the ChaCha stream cipher.