Trickbot On The Ropes: Microsoft’s Case Against Trickbot

This month’s Trikbott is very bad!  Although Emotet continues to send Trickbot binaries to this day, there are all indications that they are having problems. The daily activities of the Emotet are best documented by a team of researchers who use the collective identity of the Cryptolaemus and disseminate information about the IOC and the URL on their website  There are 6 to 12. In October there was no activity, there were all signs of change and as of 14OCT2020 researchers such as our friends from @CofenseLabs and @Malware_Traffic report that the Trickbot is now delivered by the emotetbotnet that sends spam.

This article is for Microsoft vs. Trikbot. However, according to The Washington Post and security journalist Brian Krebs, the American Cyber Command also played a role in disrupting the trikbot. In a hacking attempt, as described by Krebs, the bot started transmitting information to other bots that the IP address of its new controller should be, which would prevent the infected computer from communicating with the attackers.  Attempts have also been made to fill criminals with millions of fake stolen ID cards in the hope of obscuring their ability to understand the real victims. As Krebs also reported, the fantastic Trickbot C&C Tracker on FEODOTracker reports many C&C addresses live for Trickbot.

Dealing with Microsoft Wizards

On the 12th. October 2020 Microsoft announced a new ransom campaign in the run-up to the U.S. election, describing trikbot as a malicious program that has infected more than a million computing devices worldwide since the end of 2016. Microsoft has obtained a temporary suspension of operations by filing a lawsuit in the United States District Court for the Eastern District of Virginia.  The Digital Crime Division (Big Love, people!) worked with FS-ISAC, ESET, Symantec, Microsoft Defender Team, NTT, Black Lotus Lab Lumen, and others to develop their business.

The legal documents relating to this matter can be found on Microsoft’s website:

Microsoft and FS-ISAC have filed a 60-page complaint describing the harm done to their respective customers in the eastern district of Virginia and requesting that John Doe 1 and John Doe 2 appear in court to be tried by a jury.

They hold her responsible for the violations:

  • Copyright law – 17 USC § 101
  • Computer Fraud and Abuse Act 18 USC § 1030
  • Electronic Communications Data Protection Act 18 USC § 2701
  • Infringement of trademark law under Lanham 15 USC § 1114
  • False designation of origin under the Langham Act 15 USC § 1125(a)
  • Trade Mark Licence under the Lanham Act 15 USC § 1125(c)
  • Infringements of common law relating to movable property
  • Unreasonable enrichment
  • and the transformation

To do this, Microsoft asked the court to force hosting providers to suspend their services and block and monitor traffic for customers who use certain IP addresses in their organizations.  The list is included:

  • Input Output Flood, Las Vegas LLC, for IP addresses :
    • 104.161.32 […] 103, 105, 106, 109 и 118.
  • Hosting Solution Ltd (Hurricane Electric of Fremont, California) for the IP address :
  • Jacksonville Florida’s direct hold on IP addresses:
    • 107.155.137 […] 7, 19 и 28,
    • 162.216.0[.]163,
    • 23.239.84[.]132, .136
  • Virtual Machine Solutions, LLC of Los Angeles, California, for IP addresses :
    • 107.174.192[…] 162 и
    • 107.175.184[.]201
  • The American city of New York has an IP address:
  • Fastlink Network Inc, Los Angeles, for an IP address:
  • Green Floyd LLC for IP addresses :
    • 195.123.241[…]13 и.55
  • Twin servers hosting Nashua, New Hampshire, as an IP address:

Each team has made an important contribution to this work, and most of them have published their own trikbot blogs, which I link below. In this case, its main function was to provide a professional analysis in the form of a statement of support for the RTO movement:

  • Lyon – Jason Lyon, director of the DCU’s Malware and Cloud Crime Investigation Team Lyon, which has served in the U.S. Army Cyber Counterintelligence Unit, offers 25 pages of testimonials and ten exhibits. Part of his testimony contains evidence that 25 million Gmail addresses, 19 million Yahoo addresses, 11 million Hotmail addresses, 7 million AOL addresses, 3.5 million MSN addresses and 2 million addresses are known as Trickbot targets (according to the Deep Instinct report).
  • Finones is Rodelio Finones, senior software security engineer and malware researcher at Microsoft DCU. He testifies on page 21 of his own investigation into Trikbot,
  • Takur is Vikram Takur, technical director at Symantec Enterprise, where he has been a big rock star for over ten years!  He testifies on 20 pages.
  • Garlow – Kevin Garlow, Senior Information Security Engineer at LUMEN (formerly CenturyLink). His testimony includes the fact that he identified 502 different IP addresses used as cheat controllers, but 40 of them remained on the network despite more than 30 reports of abuse, and 9 of them received more than 100 reports of abuse.  He says we confirmed 55 new Trickbot Controller IP addresses in September 2020 and 99 new Trickbot Controller IP addresses in August. It’s these durable, bullet-proof controllers that Microsoft focuses on.  It is likely that determining who pays the bills for these long-term services could be a way to identify John Doe 1 and John Doe 2.  Garlow’s statement that he sent so many pickup notifications that were ignored is an important part of this package!
  • Silberstein – Stephen Silberstein, Executive Director of FS-ISAC.  It documents more than 500 fraud attempts against FS-ISAC member organisations over a period of 18 months, with $7 million spent on fraud attempts.  An FS-ISAC member made dozens of attempts in two weeks, with an average fraud attempt of $268,000!

  • Gaffari – Kaiwan M. Gaffari, attorney at Crowell & Moring LLP for Microsoft and FS-ISAC.  His statement points the finger at certain hosting companies that have hosted the machines covered by the TRO, including Colocrossing, IOFlood, HostKey, VDI Network, ENET-2 and King Server, indicating that all of these organisations have terms and conditions that are clearly violated by cheat controllers.  More than 650 pages of similar cases and relevant court documents from those cases are then presented.
  • Jean-Ian Buten, head of threat research, describes Trickbot as one of the most productive and common types of malware on the Internet.

TrickBotRelated Blogs

ESET has analyzed 125,000 malware samples and downloaded and decrypted 40,000 configuration files used by fake boot modules to match the C&C servers with the boot network. Although the Trikbot can drop many modules, they are not universally applicable.  In some cases, the startup modules were phased out after the initial assessment of the network on which the bone was located, and in other cases they were modified based on the gtag, the unique label used to sign the infection. We think he’s connected to the branches that paid the trick-bot operators.

Chronology of the ESET gtag

Lumen’s Black Lotus has delivered a C2 calendar that shows which IP addresses are active in which countries.  In Indonesia, for example, active C2 servers were used for 1362 days!  Colombia and Ecuador, which counted them as No. 2 and 3, had only 652 and 637 C2 days.  In their last post on the Look Inside the Trickbot Botnet blog, they announced 95 C2 addresses. Many of these IP addresses are also mentioned in Lyon’s testimony, as the figure shows. 2.

5.152.210[.]188 45.89.127[.]27 96.9.77[.]56 129.232.133[.]39 185.172.129[.]100 194.87.236[.]171
5.182.210[.]224 51.77.112[.]252 103.111.83[.]246 131.161.253[.]190 185.234.72[.]114 195.123.238[.]83
5.182.211[.]124 51.83.196[.]234 103.12.161[.]194 139.60.163[.]45 185.234.72[.]35 195.123.239[.]193
5.182.211[.]138 51.89.215[.]186 103.196.211[.]120 156.96.46[.]27 185.236.202[.]249 195.123.240[.]18
27.147.173[.]227 62.108[.]35.9 103.221.254[.]102 158.181.155[.]153 185.25.51[.]139 195.123.240[.]93
36.66.218[.]117 80.210.32[.]67 103.36.48[.]103 176.31.28[.]85 185.99.2[.]106 195.123.241[.]224
36.89.182[.]225 83.220.171[.]175 103.76.169[.]213 177.190.69[.]162 185.99.2[.]115 195.123.241[.]229
36.89.243[.]241 85.204.116[.]117 104.161.32[.]108 179.127.88[.]41 186.159.8[.]218 195.161.62[.]25
36.91.45[.]10 89.249.65[.]53 104.161.32[.]118 180.211.170[.]214 190.136.178[.]52 200.116.159[.]183
36.91.87[.]227 91.200.100[.]71 107.155.137[.]15 181.112.157[.]42 190.145.83[.]98 200.116.232[.]186
36.94.33[.]102 91.200.103[.]236 110.93.15[.]98 181.129.104[.]139 190.152.182[.]150 200.171.101[.]169
45.127[.]222.8 92.38.135[.]61 112.109.19[.]178 181.129.134[.]18 190.214.28[.]74 200.29.119[.]71
45.138.158[.]33 92.62.65[.]163 117.252.214[.]138 181.143.186[.]42 190.99.97[.]42 201.231.85[.]50
45.148.10[.]174 93.189.42[.]225 121.100.19[.]18 182.253.113[.]67 192.3.246[.]216 212.22.70[.]59
45.66.10[.]22 96.9.73[.]73 121.101.185[.]130 185.14.30[.]247 194.5.249[.]214 220.247.174[.]12
45.89.125[.]148 96.9.77[.]142 122.50.6[.]122 185.142.99[.]94 194.5.249[.]215

A blog post about Simantech Tricbot : The U.S. court ruling on the botnet infrastructure attack contains excellent graphics on how the trikbot works:

Microsoft uses Covid-19 baitTrikbot

Microsoft is in a unique position to take action against malware because much of the malware traffic is visible through browser telemetry, Microsoft Defender reports and Office365 scans.  Last year they sent about 6 trillion messages and blocked 13 billion malicious emails using 1.6 billion URLs to infect email recipients!

Microsoft’s 2020 report on digital defence states that the trikbot will be published on 3 December. March 2020 started using COVID-19 spam bait and has become the most popular spam botnet on the COVID-19 theme.

We have long maintained that temptation, if it is timely and controversial, is a matter for the people.  This seems to be the case today, as demonstrated and documented in ProofPoint’s @ThreatInsight, the latest malware campaign, first launched on 6 December, was a great success. As we saw on October 10, 2020, President Trump’s diagnosis was used as bait to infect people with additional malware, using the President’s recent status line and promising additional details in a password-protected email attachment.

*** This is the syndicated blog Security Bloggers Network of CyberCrime & Doing Time, written by Gary Warner, UAB. The original message can be found at the following address:

Related Tags:

hide ip address free,how to hide your ip address on xbox,ip block,using vpn we can access,nat firewall,how to protect your ip address from hackers,hideipvpn download,hide ip vpn free,hideipvpn login,hide ip download,premium vpn,hideipvpn review,what is my ip address,vpn,hide my ip address free online,how to turn off ip address on iphone,tor free,hide server ip,tor ip address,hide my ip address free download full version,what is my ip address here,can vpn,can vpn track websites visited,why does my boyfriend use a vpn,using a vpn at work,how to change ip address xbox one,hide my ip free,how to hide ip address on iphone,is avast secureline vpn free,proxies also called,ntp is part of which firewall.,should you keep your ip address private,who can see my ip address,does incognito hide your ip address,cyberghost vpn locations,how to hide your ip address for free,hide ip address free online,how to hide ip address windows 10