Can a business coalition really dismantle a cybercriminal group’s network?

Coordinated by Microsoft, a group of several companies launched an offensive against TrickBot, one of the most active botnets. The operation, although ambitious, was not enough to dismantle the network. She barely slowed it down for a day or two. But this operation is the first step in an undermining work that hits criminals in the wallet, and could bear fruit in the long term.

It is a small kick in the anthill of cybercriminals of Trickbot that Microsoft orchestrated on October 12. Along with five other leading companies in the sector (ESET, NTT, Symantec, FS-ISAC and Lumen), the “Defender” team delivered a first blow to the computer network of one of the most active gangs in the world.

“TrickBot” designates both the organization, the botnet [un réseau complexe d’appareils infectés, ndlr] associated with it, and information theft malware. The coalition estimates that this botnet, one of the largest, has nearly a million devices: servers, personal computers, but also all kinds of connected objects.

TrickBot operators use it for their own interests, but they also offer other cybercriminal gangs to use the structure, for a fee. Among their regular customers are the hackers behind the Ryuk ransomware. They use TrickBot to send out bulk phishing emails, the successful attempts of which can set up backdoors. This channel then allows sensitive information such as identifiers to be exfiltrated in one direction, and to install malware – such as the cryptolocker intended to encrypt the data – in the other direction.

Before the operation of the coalition of cybersecurity companies, TrickBot was particularly active, whether in joint attacks with another dangerous botnet, Emotet, or in its own phishing campaigns.

As ZDNet points out, rather than trying to dismantle the organization in one fell swoop – a goal that is difficult to achieve – the coalition has started a work of undermining, which it will have to continue. It lays down legal and technical bases which will gradually degrade the reputation and capacities of the cybercriminal group. Of course, he could recover each time, but less and less effectively.

Step 1: deactivate part of the network

Over many months, researchers from different teams collected and analyzed over 125,000 malware samples. Their objectives: to refine their understanding of malware, and identify its interactions with external servers – called C&C for “control and command” – from which hackers send attacks.

They thus created a partial map of the botnet and its mode of operation. Then Microsoft, at the head of the coalition, asked the American justice for authorization to go on the offensive against malicious servers. To justify the action, the company succeeded in proving that the TrickBot malware violated the terms of use of the development kit of its operating system, Windows.

Microsoft and its allies have disabled the IP addresses of infected machines, temporarily cutting them off from the rest of the Internet. Thus, criminals can no longer use the malware stored on their C&C servers. The coalition also tried to prevent the purchase of additional servers.

Cutting off the hydra’s head is too hard

Now, she performs communication work to warn people whose systems are infected and hijacked by TrickBot. Responsibility for the security teams of these organizations to clean up their network. In other cases, Microsoft and its partners have gone directly to Internet Service Providers (ISPs) to shut down corrupt machines from the Internet, for good.

By attacking a botnet of this size, the coalition could only have limited ambitions: part of the complex structure of the botnet is insensitive to this kind of technical measures, since the hosts concerned do not respond to requests for deactivation. Rather than trying to cut off the head of the TrickBot hydra, the coalition therefore tried to attack its business.

Step 2: damage the reputation of botnet operators

Their intuition didn’t fail: barely two days after the massive action, TrickBot was showing signs of survival. The command and control servers have already been replaced, ZDNet says, citing several expert sources. The strike all the same gave a breath of air of several tens of hours to the targets of the botnet, which moreover still did not resume the frantic pace on which it was launched.

Microsoft and its allies will start their action again, both legally and technically, announces a company executive in the columns of the English-speaking site. This operation was therefore the first battle in what could turn out to be a long drawn out war.

TrickBot, weakened, he has the means to put himself out of danger?

Even though TrickBot quickly recovered from the attack, it is not painless. For starters, the loss of servers and the purchase of new ones represent a significant financial cost. Added to this is the slowdown in ongoing operations, which also translates into a deadweight loss for cybercriminals’ business volume.

Above all, cybersecurity companies have proven that they can grab some information from the gigantic botnet. TrickBot customers – who spend large sums to access it – could therefore appear on the radar of law enforcement. This is an important issue: if the botnet operators cannot guarantee discretion to their customers, the demand for their services will decrease, and therefore their income as well. In cyber too, money is the sinews of war: with less financial means, TrickBot will be less likely to develop systems to evade justice.

For its part, TrickBot would not remain idle: it would have already started to migrate part of its structure to more discreet servers, which would allow it to escape certain repressive measures.