The uptick in the number of TrickBot infections is most likely suggestive of the Russia-based group’s efforts to revamp its offensive infrastructure in response to the US’ counter-intelligence efforts, Bitdefender says.
Researchers saw an increase in sophistication of the group’s tactics and discovered new capabilities that are used by attackers to monitor and gather intelligence on victims using its botnet:
“The new capabilities discovered are used to monitor and gather intelligence on victims, using a custom communication protocol to hide data transmissions between [command-and-control] servers and victims — making attacks difficult to spot,” Bitdefender said in an article published Monday.
They say Trickbot shows no sign of slowing down.
A botnet is a network of thousands of compromised devices that are used to launch attacks against businesses and critical infrastructure. With the right tools and permissions, these devices can allow malicious actors to control and monitor the traffic on their networks, spread malware, such as ransomware, and distribute spam.
The gang behind the TrickBot operation is Wizard Spider. Its goal is to infect as many machines as possible by moving laterally across a network, spread various malware modules, steal sensitive information, and even become a loader for other malware.
Over the years, the TrickBot operators have developed a complex infrastructure and constantly rotate their tactics:
“TrickBot has evolved to use a complex infrastructure that compromises third-party servers and uses them to host malware,” Lumen’s Black Lotus Labs disclosed last October. “It also infects consumer appliances such as DSL routers, and its criminal operators constantly rotate their IP addresses and infected hosts to make disruption of their crime as difficult as possible.”
The botnet survived two takedown attempts by US Cyber Command and Microsoft. To this end, its operators developed firmware meddling components that enabled the botnet to evade antivirus detection, stop software updates, and even wipe and reinstall the computer’s OS.
However, Microsoft was more successful in Latin America, where it worked with ISPs to replace compromised routers to get rid of the Trickbot malware. The company also successfully shut down the gang’s operations in Afghanistan.
In the article, Bitdefender also described a new version of a module known as vncDll, which attackers deploy against high-profile targets for intelligence gathering. The new tvncDll module executes commands and downloads new payloads and exfiltrates gathered intel from the machine.
The researchers also found a new “viewer tool” that enables the attackers to interact with the victims through the C2 servers.