Trickbot Botnet Shows Signs Of Life After Microsoft Seemingly Killed It Last Year

World Network
How many times have you seen a horror movie where the villain and/or monster is defeated, only to rise back up after the heroes let their guard down? It is the blueprint for a boilerplate horror film, and it also describes what seems to be happening with Trickbot, a dastardly botnet that Microsoft and the US Military Cyber Command defeated last year. Or so it seemed. Now it is showing signs of life.

Trickbot's demise seemed like a foregone conclusion when, last October, the military's Cyber Command unit executed a coordinated attack on the sinister botnet, which including sending disconnect commands to computers that had been infected. Then Microsoft got in on the action, disabling 62 of the 69 servers it identified as being part of Trickbot. The company said it was working on taking the remaining ones offline as well.

Like a bad horror movie, though, it does not appear as though Trickbot fully succumbed to those efforts. Researchers at Menlo Security recently observed some unsettling activity, leading them to believe Trickbot "might be back and active."

"In the most recent campaign we observed across our global Menlo Security cloud platform, we noticed the attackers used an interesting lure to get users to click and install the Trickbot malware on the endpoint. This ongoing campaign that we identified exclusively targeted legal and insurance verticals in North America," the security outfit said.

According to Menlo Labs, Trickbot looks to be sending out compromised emails with malicious hyperlinks. Whereas the botnet used to leverage "weaponized documents," Trickbot's re-emergence now seems focused tricking users into clicking on a link, which redirects them to a compromised server. Users are then encouraged to download a malicious payload.

"Where there’s a will, there’s a way. That proverb certainly holds true for the bad actors behind trickbot’s operations. While Microsoft and it’s partners' actions were commendable and Trickbot activity has come down to a trickle, the threat actors seem to be motivated enough to restore operations and cash in on the current threat environment," Menlo Labs says.

As to the malicious files, the aforementioned download contains heavily obfuscated JavaScript code. Menlo Labs says it is still analyzing the payload, and intends to publish more details comparing it to payloads that were delivered prior to last year's takedown efforts.