02
Oct 20

Attacks Aimed at Disrupting the Trickbot Botnet

Over the past 10 days, someone has been launching a series of coordinated attacks designed to disrupt Trickbot, an enormous collection of more than two million malware-infected Windows PCs that are constantly being harvested for financial data and are often used as the entry point for deploying ransomware within compromised organizations.

A text snippet from one of the bogus Trickbot configuration updates. Source: Intel 471

On Sept. 22, someone pushed out a new configuration file to Windows computers currently infected with Trickbot. The crooks running the Trickbot botnet typically use these config files to pass new instructions to their fleet of infected PCs, such as the Internet address where hacked systems should download new updates to the malware.

But the new configuration file pushed on Sept. 22 told all systems infected with Trickbot that their new malware control server had the address 127.0.0.1, which is a “localhost” address that is not reachable over the public Internet, according to an analysis by cyber intelligence firm Intel 471.

It’s not known how many Trickbot-infected systems received the phony update, but it seems clear this wasn’t just a mistake by Trickbot’s overlords. Intel 471 found that it happened yet again on Oct. 1, suggesting someone with access to the inner workings of the botnet was trying to disrupt its operations.

“Shortly after the bogus configs were pushed out, all Trickbot controllers stopped responding correctly to bot requests,” Intel 471 wrote in a note to its customers. “This possibly means central Trickbot controller infrastructure was disrupted. The close timing of both events suggested an intentional disruption of Trickbot botnet operations.”

Intel 471 CEO Mark Arena said it’s anyone’s guess at this point who is responsible.

“Obviously, someone is trying to attack Trickbot,” Arena said. “It could be someone in the security research community, a government, a disgruntled insider, or a rival cybercrime group. We just don’t know at this point.

Arena said it’s unclear how successful these bogus configuration file updates will be given that the Trickbot authors built a fail-safe recovery system into their malware. Specifically, Trickbot has a backup control mechanism: A domain name registered on EmerDNS, a decentralized domain name system.

“This domain should still be in control of the Trickbot operators and could potentially be used to recover bots,” Intel 471 wrote.

But whoever is screwing with the Trickbot purveyors appears to have adopted a multi-pronged approach: Around the same time as the second bogus configuration file update was pushed on Oct. 1, someone stuffed the control networks that the Trickbot operators use to keep track of data on infected systems with millions of new records.

Alex Holden is chief technology officer and founder of Hold Security, a Milwaukee-based cyber intelligence firm that helps recover stolen data. Holden said at the end of September Trickbot held passwords and financial data stolen from more than 2.7 million Windows PCs.

By October 1, Holden said, that number had magically grown to more than seven million.

“Someone is flooding the Trickbot system with fake data,” Holden said. “Whoever is doing this is generating records that include machine names indicating these are infected systems in a broad range of organizations, including the Department of Defense, U.S. Bank, JP Morgan Chase, PNC and Citigroup, to name a few.”

Holden said the flood of new, apparently bogus, records appears to be an attempt by someone to dilute the Trickbot database and confuse or stymie the Trickbot operators. But so far, Holden said, the impact has been mainly to annoy and aggravate the criminals in charge of Trickbot.

“Our monitoring found at least one statement from one of the ransomware groups that relies on Trickbot saying this pisses them off, and they’re going to double the ransom they’re asking for from a victim,” Holden said. “We haven’t been able to confirm whether they actually followed through with that, but these attacks are definitely interfering with their business.”

Intel 471’s Arena said this could be part of an ongoing campaign to dismantle or wrest control over the Trickbot botnet. Such an effort would hardly be unprecedented. In 2014, for example, U.S. and international law enforcement agencies teamed up with multiple security firms and private researchers to commandeer the Gameover Zeus Botnet, a particularly aggressive and sophisticated malware strain that had enslaved up to 1 million Windows PCs globally.

Trickbot would be an attractive target for such a takeover effort because it is widely viewed as a platform used to find potential ransomware victims. Intel 471 describes Trickbot as “a malware-as-a-service platform that caters to a relatively small number of top-tier cybercriminals.”

One of the top ransomware gangs in operation today — which deploys ransomware strains known variously as “Ryuk” and “Conti,” is known to be closely associated with Trickbot infections. Both ransomware families have been used in some of the most damaging and costly malware incidents to date.

The latest Ryuk victim is Universal Health Services (UHS), a Fortune 500 hospital and healthcare services provider that operates more than 400 facilities in the U.S. and U.K.

On Sunday, Sept. 27, UHS shut down its computer systems at healthcare facilities across the United States in a bid to stop the spread of the malware. The disruption has reportedly caused the affected hospitals to redirect ambulances and relocate patients in need of surgery to other nearby hospitals.

Tags: , , , , , , ,

32 comments

  1. ait,no wonder why BTC price is low now 🙁 100% ransome payers payed when btc highest ,i wish i knew it now they got just btc to dump us on btc traders 🙁

  2. …I can’t get to the 471 report right now, but if they really said that 127.0.0.1 “can’t be reached on the Internet” they’re wrong…

    …I think what they meant to say was “localhost” can’t be, or the write up is not clear as it says “address” as opposed to name…

    …btw many processes use localhost loopbacks to talk to themselves as a form of inter-process communications (IPC)…

    • 127.0.0.1 is a valid IP address which is guaranteed to point back to the same host from which the traffic originates. Therefore, by definition, you cannot place a host on the public Internet with that IP address, as no one else will ever route to it. This has been mandated since RFC 1122 in 1989.

      Whoever did this effectively cut off all of the bots from their command and control servers by tricking them into thinking “the call is coming from inside the house.”

      • …well yes and no, you can always add a route to 127.0.0.1 and force your stack to route it…

        …by convention (with a little c) 127.0.0.0/8 does not route, but it can be made to…

        …regardless it was clever…

        • It doesn’t route on the Internet, because no routers on the Internet have routes setup for 127.0.0.1.

          Nobody cares if you can setup a lab environment that lets you route to that IP. No infected computer is in such an environment, so it is effective is (temporarily at least) cutting off infected hosts from the C2 server infrastructure.

      • My little pc only asks that they change the new ip to some server that would entirely remove or permanently disable all the bot files on my computer. Seems to me to be one way to hurt the bastards

    • How is it wrong to say that 127.0.0.1 can’t be reached on the internet? The IPv4 spec says that 127.0.0.0/8 is reserved for non-routable internal/loopback use only. That means it does not leave the system so it can’t communicate with or via the internet.

      • Nevermind, I see that question has been dealt with.

        • …by convention (with a little c) 127.0.0.0/8 does not route, but it can be made to…

          …remember rfc’s are just suggestions…

          • You can do anything on the end node you control, but the intermediate routers on the Internet backbone which do follow convention (as the Internet would be utter chaos if they didn’t) will ensure those packets don’t go anywhere useful.

  3. I love it, absolutely love it. Who says one of the “5 eyes” doesn’t look out for their citizens?

  4. Won’t a simple shutdown (or reboot) get rid of the nworm invasion for an individual’s PC? And if that isn’t sufficient, how about just installing a clean OS? https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/

  5. “from 2.7 million PCs to more than 7 million.”
    Impressive.
    Very impressive.
    Can this software be adopted to PA, OH, and MI voting machines?…

  6. When I was working for DHS (US_CERT), I saw TCP traffic with the return address in the 127.0.0.0/8 space. Came from a govt computer.

    • …that’s because MPLS traffic is specifically allowed to route 127.0.0.0/8 traffic by the latest RFC…

      …but I repeat myself…

      • Hi, Security Vet. What is the benefit of allowing routing 128.0.0.0/8? Thanks in advance for your insight.

        • …to allow MPLS traffic if you have it from the isp…

          • Cybersecurity Vet

            But that’s MPLS… the only reason I can think of why a “government computer” would return an address in that Class A block is what’s piggybacking on the edge routers of the Tier 1 ISP…. thoughts?

  7. the attacks are something serious, many times we think that they stay only in the movies, until it happens to us…

  8. I trust everyone knows not to go to Demyo dot Com.

  9. It makes me feel good to think that it’s “Batman”
    Why not, we have unlimited super villains, maybe one rich,,,, oh never mind, likely just competition,,,, 🙁

    “It could be someone in the security research community, a government, a disgruntled insider, or a rival cybercrime group. We just don’t know at this point.”

  10. Brian,

    Do you think it’s entirely possible this is a glimpse of government and corporate warfare against the endless hacking and attempts to hacking, and eventually against….????

    I sort of applaud this if so, but then I worry, what if we carry this out to its logical conclusion. What happens if corporation/companies start turning these against each other, or on us if they have a dispute with us.

    Nation-states already go against each other, but if companies begin, where is the line in the sand that will be drawn where someone says”we will not cross this and/or that line”? Against hackers? Against competitors?? Against customers we are having disputes with???

    Where does it all end? Or doesn’t it?? It will just become the new norm? I’ve been to recent A.I. talks where the presenters talk about not only “guarding” or “protecting”, but also “fighting back”. Huh Fighting back?? Exactly what does that entail??

    Be interested to hear your thoughts since you’ve been in the trenches with this stuff so many years now. Thank you for another good read.

    • It’s an important question. This doesn’t feel like the type of coordinated takedown attempts we’ve seen in the past; it seems more like the work of an independent group or individual.

      That’s potentially concerning on several levels, because such efforts — while well meaning — can have the effect of disrupting more coordinated disruption efforts. Not that I know such an effort is underway, mind you. However, it seems to me unless and until we start seeing a coordinated, national response and strategy for dealing with these ransomware groups, one-off events like this will continue. Personally, I find it disgraceful that no one at the federal level has put forth such a strategy, which probably needs to involve the intelligence community and the DOD. If you mention the election or Iran or North Korea, everyone’s on board. But plain old profit-seeking Eastern European cybercriminals? The collective shrug is embarrassing.

  11. Justin Credible

    Perhaps this is just one US intel agency tripping another up just before the big game.

Leave a comment