[BreachExchange] Trickbot Strikes Back

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Tue Jul 13 10:57:16 EDT 2021


https://www.msn.com/en-us/news/technology/trickbot-strikes-back/ar-AAM4fo1

A notorious group of cybercriminals whose operations were almost totally
dismantled last year seems to be back in business—in yet another example of
the seemingly intractable nature of cybercrime.

The Russian-speaking group known as “Trickbot” (which is also the name of
the malware that they’re responsible for creating and distributing), has
built up its infrastructure and seems to be preparing for some nefarious
new campaign, The Daily Beast first reported.

The group, which has been connected to ransomware attacks and widespread
theft of financial information, is an outgrowth of an older, Russia-based
cybercrime group called “Dyre.” After Dyre was initially broken up by
Russian authorities back in 2015, the remaining members regrouped, creating
new malware tools and working to employ them in even more expansive
criminal enterprises. Trickbot, which today operates out of numerous places
in Eastern Europe—including Russia, Ukraine, Belarus, and others—is perhaps
best known for running one of the world’s largest botnets.

Botnets are large networks of “zombie” devices—computers that have been
infected with special kinds of malware that allow them to be collectively
controlled by a hacker, typically for malicious purposes. In Trickbot’s
case, the group has used its million-plus botnet for an assortment of
sordid activities, including helping to launch ransomware attacks
throughout the world.

Last fall, the Pentagon’s Cyber Command attempted to debilitate Trickbot,
fearing that hackers connected to the group might attempt to interfere with
the 2020 presidential election. CYBERCOM launched a series of “coordinated
attacks” against Trickbot’s servers, ultimately succeeding in disrupting
its operations. However, it was clear that federal officials did not expect
their efforts to be a long-term deterrent, with anonymous sources telling
the Washington Post that the action was “not expected to permanently
dismantle the network.”

Around the same time, Microsoft launched its own campaign that was also
targeted at dismantling the group. The company tracked and analyzed the
servers that were involved in operating the botnet, subsequently garnering
a court order that allowed them to disable the IP addresses connected to
those servers. Microsoft’s operation even involved working together with
ISPs to reportedly go “door to door” in Latin America, where they helped to
replace routers that had been compromised by the criminal group.

However, as is often the case with cybercrime, few of the culprits behind
the malware’s distribution were ever tracked down or faced charges. Earlier
this year, a 55-year-old Latvian woman who was known by the online
pseudonym “Max” was arrested and charged in federal court for her role in
facilitating Trickbot operations. However, she was merely one member—the
others appear to be back to business as usual.

Indeed, a recent report from security firm Fortinet seems to show that the
group has allegedly helped create a new strain of ransomware, dubbed
“Diavol.” On top of this, another report from BitDefender shows that the
group has built back up its infrastructure and that it has recently been
seen gearing up for new attacks and malicious activity, with the firm
ultimately noting that “Trickbot shows no sign of slowing down.”

The critical problem with cybercrime is the same as other types of crime:
If you don’t nab the actual criminals, they’re just going to be back out on
the street next week doing the same thing. And, unlike other types of
crime, the jurisdictional problems and anonymity of cybercrime make it so
much more difficult to do said nabbing.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210713/fbf32063/attachment.html>


More information about the BreachExchange mailing list