The disruption of the Trickbot botnet will slash the number of cyberattacks aiming to swipe financial data and deploy ransomware.

Every time a critical piece of botnet infrastructure is “shot down,” thousands of machines are liberated from oppression by their cruel botnet masters. According to Forrester, botnets are one of the top cybersecurity threats to watch out for in 2020 – one that seems to be particularly rampant in the finance industry:

Trickbot is known to go after browser-stored passwords, Point-of-Sale systems, and cryptocurrency wallets, as well as banking, email and cryptocurrency exchange credentials. Without the protection of a security software solution, such as ESET Endpoint Security, systems can be easily infested by a malicious bot that might be served up, for example, by a phishing email. In the case of Trickbot, the Emotet trojan is commonly the first payload of a phishing email. Emotet, in turn, sometimes drops Trickbot as a secondary payload.

Chaining the slaves to the taskmaster

Once bots are deployed, the bot operators maintain control via command and control (C&C) servers. In order to evade and minimize disruptions to C&C server infrastructure, the bots are often designed to leverage various layers of C&C servers, among other tricks.

Trickbot’s main module, for example, often first contacts hacked Internet of Things (IoT) devices selected from a list of hardcoded C&C server addresses. The bot module then obtains a second list of C&C server addresses from the hacked devices.

By contacting the C&C servers on the second list, the bot can download various plugins. Some of the plugins have their own C&C servers, and yet other C&C servers are dedicated to exfiltrating stolen data – all of which make disruption efforts that much more challenging.

Modular with a wide range of infostealing plugins

Since Trickbot has a modular architecture, the operators are able to deploy both new and updated plugins with ever-evolving features. The malware’s capabilities range from infostealing to lateral movement, network abuse and even the deployment of ransomware, such as Ryuk. The high volume of research publications on Trickbot’s plugin updates, since its rise in 2016, illustrates how busy the botnet’s operators have been.

Trickbot has been further weaponized via its use as malware-as-a-service. In this criminal business model, the botnet is rented to other cybercriminals, who can wreak further havoc.

Fortunately, with the joint effort at disrupting the Trickbot botnet this week, financial industries – the most targeted business vertical – can hope for some respite. Trickbot operators have demonstrated a lot of interest in going after financial and related data. Out of the tens of thousands of configuration files used by the Trickbot plugins in 2020 and examined by ESET researchers, the most targeted websites were those of financial institutions.

In addition, 11 of the 28 Trickbot plugins analyzed by ESET were infostealers, including:

  • Pwgrab, which steals passwords from Filezilla, Microsoft Outlook and WinSCP;
  • importDll, which steals browser information such as browsing history, cookies and configurations;
  • psfin, which tries to locate specific instances of Point-of-Sale machines; and
  • injectDll, which uses browser hooks to steal user credentials from banking websites.

ESET’s Secure Browser technology, known as Banking & Payment Protection in the consumer lineup, blocks the hooking mechanism used by Trickbot’s injectDll plugin. Secure Browser will be available for businesses in the upcoming release of version 8 of ESET Endpoint Security.

Playing the game with endpoint detection and response

Perhaps the most insidious characteristic of Trickbot is its spreading capability. The most frequently detected plugins in ESET’s botnet tracker platform for Trickbot were those dedicated to lateral movement within compromised networks. These modules increase Trickbot’s hold in a victim network by propagating via:

  1. Network shares
  2. Server message block (SMB) using the EternalBlue exploit
  3. SMB using the EternalRomance exploit

ESET’s endpoint detection and response solution, ESET Enterprise Inspector (EEI), is powerful enough to automatically sound the alarm on the techniques employed by Trickbot. EEI does this via its detection rules that trigger when suspicious events happen on endpoints. The offending processes are saved, along with their process trees, for investigation by network defenders.

ESET Endpoint Security detects Trickbot’s lateral movements, while EEI detects its web injection mechanism. Using EEI’s dashboard, IT admins and network defenders can also gain a comprehensive view of these events:

MITRE ATT&CK IDTrickbot TechniqueESET Detection
1T1185Trickbot uses web injects to modify web pages and steal login credentials via the injectDll module.Injection into browser process [F0416]
[via ESET Enterprise Inspector]
2T1210.002Trickbot utilizes the EternalBlue exploit for lateral movement in the modules wormwinDll, wormDll, mwormDll and nwormDll.SMB/Exploit.EternalBlue.B
[via ESET Endpoint Security]
3T1210.002Trickbot utilizes the EternalRomance exploit for lateral movement in the module tabDll.SMB/Exploit.EternalRomanceSynergy.B
[via ESET Endpoint Security]

Recommendations

The Trickbot operation is not the first time ESET has contributed to a botnet disruption. ESET helped disrupt the Dorkbot botnet in 2015 and the Gamarue botnet in 2017. Dorkbot and Gamarue were first detected in 2011, and Trickbot was first detected in 2016.

While disruptions help create a safer internet, disrupting a botnet can be a drawn out, multiyear affair that involves complex coordination with law enforcement and industry partners. Waiting for the next botnet disruption is not a good security strategy, so here are a few steps you can take to protect your network from a botnet infestation:

  1. Protect your endpoints with security solutions, like ESET Endpoint Security and ESET Mail Security, that have robust detection modules, such as anti-phishing, Secure Browser and botnet protection. 
  2. Make sure your network is patched with the latest security updates so that malware can’t leverage exploits like EternalBlue and EternalRomance.
  3. Restrict access to remote ports, especially remote desktop (RDP) ports. Go one step further and protect RDP logins with multi-factor authentication, in case passwords get compromised by an infostealer. Go one giant step further by uninstalling unused apps and blocking unused ports.
  4. More mature security operations center (SOC) teams can consider ways to make attacks financially more costly for attackers – for example, by setting up open, unresponsive connections, serving up fake data, or using honeypots.