Researchers believe the group behind TrickBot are moving the infected devices it controls to the newer, more difficult to detect Emotet malware. Credit: Magdalena Petrova/IDG TrickBot, once one of the most active botnets on the internet and a primary delivery vehicle for ransomware, is no longer making new victims. However, there are signs its operators are transitioning the already infected computers to other botnets, including Emotet.“Our team assesses with high confidence that Trickbot operators are working closely with the operators of Emotet,” researchers from security firm Intel 471 said in a new report. “There is clear evidence of this relationship, for example, the resurrection of Emotet began with Trickbot.”TrickBot and Emotet have long been friendsTrickBot and Emotet are two Trojan programs that started out as malware tools focused on stealing online banking credentials but evolved into malware distribution platforms where they rented their access on systems to other cybercriminal gangs. Security researchers have long suspected that the group behind TrickBot were one of Emotet’s largest customers and the two botnets were regularly distributing each other on infected computers. Furthermore, TrickBot served as one of the primary infection vectors for the Ryuk ransomware.In October 2020, TrickBot was targeted in a coordinated action by Microsoft and other industry partners and ISPs which resulted in the disruption of all its command-and-control servers. However, its creators started new spam campaigns to regain control of the infected computers and slowly started to rebuild the botnet. This was followed in January 2021 by a takedown of the Emotet command-and-control infrastructure by law enforcement agencies in Europe. However, like TrickBot, Emotet started recovering, too, and a big reason for that was TrickBot itself. “On November 14, 2021, we observed Trickbot pushing a command to its bots to download and execute Emotet samples,” the Intel 471 researchers said. “This marked the beginning of the return of Emotet.”No new TrickBot campaignsResearchers can easily monitor new TrickBot samples because they contain unique identification codes called gtags that operators use to determine the success of each distribution campaign. These gtags are formed from three letters and three numbers, known as sub-tags. According to Intel 471, in November there were eight different TrickBot builds with lipXXX gtag and eight with topXXX. The last builds with these gtags came in mid to late December and there have been no new builds since then or new gtags. Additionally, the malware configuration file mcconf that contains a list of command-and-control servers hasn’t been updated since early December even though it used to receive regular updates.This significant drop in new distribution campaigns suggests that the TrickBot operators are not interested in infecting new systems. The existing computers that make up the botnet still receive commands and injection scripts from the control servers, but this could be partially due to automation.What happened with TrickBot?In October, the DOJ announced the extradition of a Russian national after his arrest in South Korea to face charges related to the development of TrickBot, but it’s not clear if this has directly led to the decrease in TrickBot activity, considering its operators launched new builds and campaigns in November and December.The Intel 471 researchers believe it’s more likely that the TrickBot operators have begun transitioning to other Trojans to continue their operations. “Intel 471 cannot confirm, but it’s likely that the Trickbot operators have phased Trickbot malware out of their operations in favor of other platforms, such as Emotet,” they said. “Trickbot, after all, is relatively old malware that hasn’t been updated in a major way. Detection rates are high and the network traffic from bot communication is easily recognized.”In July 2020, researchers from Cybereason reported that the TrickBot group developed a loader and backdoor program called Bazar that shares some techniques and infrastructure with TrickBot but is stealthier and uses blockchain DNS domains making it more resilient to takedown attempts.The Bazar loader has since been used by several cybercriminal groups against high-value targets to deploy attack frameworks like CobaltStrike and IcedID or Bokbot inside network environments. Bazar command-and-control servers have also been seen distributing both TrickBot and Emotet last year, reinforcing the idea that all three are connected. “Perhaps a combination of unwanted attention to Trickbot and the availability of newer, improved malware platforms has convinced the operators of Trickbot to abandon it,” the researchers said. “We suspect that the malware control infrastructure (C2) is being maintained because there is still some monetization value in the remaining bots.” Related content brandpost How an integrated platform approach improves OT security By Richard Springer Sep 26, 2023 5 mins Security news Teachers urged to enter schoolgirls into UK’s flagship cybersecurity contest CyberFirst Girls aims to introduce girls to cybersecurity, increase diversity, and address the much-maligned skills shortage in the sector. By Michael Hill Sep 26, 2023 4 mins Back to School Education Industry IT Training news CREST, IASME to deliver UK NCSC’s Cyber Incident Exercising scheme CIE scheme aims to help organisations find quality service providers that can advise and support them in practising cyber incident response plans. By Michael Hill Sep 26, 2023 3 mins IT Governance Frameworks Incident Response Data and Information Security news Baffle releases encryption solution to secure data for generative AI Solution uses the advanced encryption standard algorithm to encrypt sensitive data throughout the generative AI pipeline. By Michael Hill Sep 26, 2023 3 mins Encryption Generative AI Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe