Researchers believe the group behind TrickBot are moving the infected devices it controls to the newer, more difficult to detect Emotet malware. Credit: Magdalena Petrova/IDG TrickBot, once one of the most active botnets on the internet and a primary delivery vehicle for ransomware, is no longer making new victims. However, there are signs its operators are transitioning the already infected computers to other botnets, including Emotet.“Our team assesses with high confidence that Trickbot operators are working closely with the operators of Emotet,” researchers from security firm Intel 471 said in a new report. “There is clear evidence of this relationship, for example, the resurrection of Emotet began with Trickbot.”TrickBot and Emotet have long been friendsTrickBot and Emotet are two Trojan programs that started out as malware tools focused on stealing online banking credentials but evolved into malware distribution platforms where they rented their access on systems to other cybercriminal gangs. Security researchers have long suspected that the group behind TrickBot were one of Emotet’s largest customers and the two botnets were regularly distributing each other on infected computers. Furthermore, TrickBot served as one of the primary infection vectors for the Ryuk ransomware.In October 2020, TrickBot was targeted in a coordinated action by Microsoft and other industry partners and ISPs which resulted in the disruption of all its command-and-control servers. However, its creators started new spam campaigns to regain control of the infected computers and slowly started to rebuild the botnet. This was followed in January 2021 by a takedown of the Emotet command-and-control infrastructure by law enforcement agencies in Europe. However, like TrickBot, Emotet started recovering, too, and a big reason for that was TrickBot itself. “On November 14, 2021, we observed Trickbot pushing a command to its bots to download and execute Emotet samples,” the Intel 471 researchers said. “This marked the beginning of the return of Emotet.”No new TrickBot campaignsResearchers can easily monitor new TrickBot samples because they contain unique identification codes called gtags that operators use to determine the success of each distribution campaign. These gtags are formed from three letters and three numbers, known as sub-tags. According to Intel 471, in November there were eight different TrickBot builds with lipXXX gtag and eight with topXXX. The last builds with these gtags came in mid to late December and there have been no new builds since then or new gtags. Additionally, the malware configuration file mcconf that contains a list of command-and-control servers hasn’t been updated since early December even though it used to receive regular updates.This significant drop in new distribution campaigns suggests that the TrickBot operators are not interested in infecting new systems. The existing computers that make up the botnet still receive commands and injection scripts from the control servers, but this could be partially due to automation.What happened with TrickBot?In October, the DOJ announced the extradition of a Russian national after his arrest in South Korea to face charges related to the development of TrickBot, but it’s not clear if this has directly led to the decrease in TrickBot activity, considering its operators launched new builds and campaigns in November and December.The Intel 471 researchers believe it’s more likely that the TrickBot operators have begun transitioning to other Trojans to continue their operations. “Intel 471 cannot confirm, but it’s likely that the Trickbot operators have phased Trickbot malware out of their operations in favor of other platforms, such as Emotet,” they said. “Trickbot, after all, is relatively old malware that hasn’t been updated in a major way. Detection rates are high and the network traffic from bot communication is easily recognized.”In July 2020, researchers from Cybereason reported that the TrickBot group developed a loader and backdoor program called Bazar that shares some techniques and infrastructure with TrickBot but is stealthier and uses blockchain DNS domains making it more resilient to takedown attempts.The Bazar loader has since been used by several cybercriminal groups against high-value targets to deploy attack frameworks like CobaltStrike and IcedID or Bokbot inside network environments. Bazar command-and-control servers have also been seen distributing both TrickBot and Emotet last year, reinforcing the idea that all three are connected. “Perhaps a combination of unwanted attention to Trickbot and the availability of newer, improved malware platforms has convinced the operators of Trickbot to abandon it,” the researchers said. “We suspect that the malware control infrastructure (C2) is being maintained because there is still some monetization value in the remaining bots.” Related content news UK CSO 30 Awards 2023 winners announced By Romy Tuin Dec 05, 2023 4 mins CSO and CISO C-Suite Roles news analysis Deepfakes emerge as a top security threat ahead of the 2024 US election As the US enters a critical election year, AI-generated threats, particularly deepfakes, are emerging as a top security issue, with no reliable tools yet in place to combat them. By Cynthia Brumfield Dec 05, 2023 7 mins Election Hacking Government Security Practices feature How cybersecurity teams should prepare for geopolitical crisis spillover CISOs can anticipate and prepare for cyberattacks conducted by participants in geopolitical conflict such as the Israel/Hamas war by understanding the threat actors' motivations and goals. By Christopher Whyte Dec 05, 2023 12 mins Advanced Persistent Threats Threat and Vulnerability Management Risk Management news analysis P2Pinfect Redis worm targets IoT with version for MIPS devices New versions of the worm include some novel approaches to infecting routers and internet-of-things devices, according to a report by Cado Security. By Lucian Constantin Dec 04, 2023 5 mins Botnets Hacker Groups Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe