Research Saturday 1.23.21
Ep 167 | 1.23.21

Trickbot may be down, but can we count it out?


Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Mark Arena: Originally, it was a banking Trojan – a banking Trojan being target, you know, compromise people's computers, capture their online banking credentials, and then steal money out of their bank account.

Dave Bittner: That's Mark Arena. He's CEO at Intel 471. The research we're discussing today is titled, "Trickbot down, but is it out?"

Mark Arena: As it kind of came, and especially over the last year or two, it was very much focused as a loader. And a loader means, you know, Trickbot itself isn't that bad on its own, but it's what comes next which is – can be really, really bad. And the operators behind Trickbot are experts at triaging their infections. They have no problem compromising huge numbers of organizations worldwide, probably in the millions – I would say low millions – and looking through those infections to find interesting, you know, whether you're an organization, whether you're a government department, whether you're a bank, and either doing follow up intrusion activity themselves or providing it to other third parties, whether they be nation states, cybercriminals, et cetera.

Mark Arena: So, we've been tracking Trickbot for a number of years now. From the technical side, we did some research into it, and interesting enough, we were totally skeptical of it. There were some public claims that Trickbot – systems that were compromised with Trickbot were being sold to the North Koreans. And like I said, totally skeptical of that when we started looking at it. And by the end, we were like, yes, this is definitely there. And so, we put out a public blog on that, where it seems pretty clear that in a small number of cases where some financial institutions have been hacked, they've had those accesses provided or sold to the North Koreans, who have done follow up activity.

Mark Arena: And so, yeah, it kind of led on from that. And, you know, we saw the initial takedown where it looked like somebody was trying to tell all the Trickbot-infected systems, kind of cut off the connection between them and these cybercriminals' malicious infrastructure. And we worked with Brian Krebs on it because it was quite a technical story, and Brian's very, very good at understanding the technical aspects of cybercrime.

Dave Bittner: Yeah.

Mark Arena: And yeah, based on working with Brian and his story got published and referenced us. Then a number of other mainstream media, you know, Washington Post, New York Times, reached out after folks we knew who said that their sources have told us that action was US Cyber Command. And then we've been told that there was an independent action around the same time leading up to the elections – independent action, legal action by Microsoft to take down the infrastructure. And so, yeah, we kind of started to look at that – the alleged Cyber Command action, and then it kind of linked in and kind of fell in with Microsoft's action. And everybody was asking the same question, which was, you know, what's happening with Trickbot?

Dave Bittner: Right, right. Well, before we dig into some of the details that you all have outlined here when it comes to what Cyber Command allegedly did, and also Microsoft, do you have insights on Trickbot itself? I mean, is it – operationally, what is the kind of – what's their order of operations? You know, do they go out and get their hooks in people's systems and then go offer that up for sale? Do they say, hey, we have these types of systems available for a price, we'll give you access to them? Or do they take a custom order from someone? Someone says, you know, we'd really like to have access to these kinds of systems – can you go out and provide that? Any insights on how they go about it?

Mark Arena: Yeah, I think it's probably all of the above, what you described. Like, this is a professionally run, managed, cybercrime-as-a-service. And I'm sure those members of the group that are doing intrusions and ransoming organizations, they're probably buying access into organizations from the underground, to the cybercriminal underground, people call it the deep and dark web, although I hate that term, but they're probably doing that. They're probably buying installs from other cybercriminals – installs being, there's other groups which are just focused on getting initial infections on systems and then selling them. Oh, want a thousand compromised systems from the US or from Western Europe or from the Netherlands, for example, and just selling bulk installs of compromised systems like that. And then they're doing what you just said, selling off access to different people, custom or otherwise.

Mark Arena: So, yeah, it is a very longstanding operation, probably very, very, very well-resourced and probably no different to us where we're a well-resourced intelligence vendor, and they're the opposition, and there's no doubt they're well-resourced as well.

Dave Bittner: Yeah. Can you give us some idea of what's going on behind the scenes – in terms of the scale of the infrastructure when Trickbot was up and running, before folks came in and tried to interfere with them, how large were they, and what was the types of systems they had? What was going on with their command-and-control servers, that sort of thing?

Mark Arena: Yeah, so, as a whole, the focus up until the takedown seemed to be mostly ransoming organizations. So, small and midsize organizations, they have initial access, and they either do it themselves or they provide it to a third-party hacker or a third party group of cybercriminals who would then look to move within a compromised network or within a compromised organization. For most, they want to try and get at the domain controller, so that's the system which controls all the other systems, because if they have access to that, they can push out an update, which then installs ransomware on all the systems. So that was kind of the objective.

Mark Arena: From an infrastructure perspective, they used a lot of what we think is hacked routers. So, there was a company called MikroTik, I think is how you pronounce them. MikroTik – hacked MikroTik, routers – you can basically – there was a vulnerability that's been patched for quite a while, but a lot of people's routers all over the world have not been patched. And they were basically scanning and exploiting them, and they used that as their initial point. It very much made Microsoft's job very difficult in taking down the infrastructure, because it was in all over the world that had these routers which act as the first layer where compromised systems would connect to, were in places like Brazil, Indonesia, Colombia, Kazakhstan, former Soviet Union countries. So, very dispersed and a lot of them. So, that made things difficult with Microsoft's takedown, certainly.

Dave Bittner: Well, let's walk through the takedown, starting with the one that folks seem to think came from US Cyber Command. I mean, that began back towards the end of September. What exactly did they reach out and do?

Mark Arena: Sure. There's a – so, each Trickbot infection has a configuration, and the configuration says connect to these places, this is the way you connect to receive commands, – so, compromised systems receive commands from the bad guys. Those commands typically come from those compromised MikroTik routers, who forward – basically a forwarder to the real bad guys' servers.

Mark Arena: So that was happening, and we saw an update pushed that had the IP address, which is the loopback IP address. So the objective was really, you know, push this update to all the infected systems so the infected systems try and connect to themselves only. So, by effectively – you can cut the head off the snake, being go after the server, or we can go after all the snakes at the bottom, who are the infected systems. And that's what the objective was.

Mark Arena: So, for a period of time, every Trickbot infected system that had been turned on and connected to the command-and-control server received an update which severed that connection. So that was, you know, alleged to be US Cyber Command's action. And they did it a couple of times over a couple of week period as well. And in the first instance, the bad guys change the configuration back pretty quickly. And the second one, I think, was about twenty-four hours, where it took for them to change the configuration back.

Dave Bittner: Now, is this a situation where, you know, I know with a lot of botnets, the systems that are part of the botnet, they go about their day-to-day business, still performing their primary functions. And so, the folks who have these systems – in this case, as you said, these MikroTik routers – they may not know that they've been infected. Was that the case here? The push that that Cyber Command did – could that have affected their primary functionality?

Mark Arena: The push that Cyber Command did was the infected Windows systems, so it wasn't so much targeted at the MikroTik routers. I mean, effectively, they're still infected, right? So, the impact – you know, and, like, a number of years ago, the Dutch high-tech crime unit, the Dutch police, were taking on a same thing, some criminal malware, and they took over the infrastructure. And rather than kind of severing the connection, which is what US Cyber Command did, they deleted the malware from all the infected systems globally. If you really look at it from a legal perspective, depending on the country, you would say the Dutch police basically broke the law, because they modified somebody's data on somebody's system without permission. And so that's what happened in the past. They took a lot of flack for it. Probably – whether you agree with it or not, that's what they did.

Mark Arena: And so US Cyber Command didn't do that. They didn't delete it. All they did was push their configuration update to sever that connection. So effectively they're still infected with the Trickbot malware, but obviously, with the connection severed, the criminals wouldn't be able to do the next-stage things, which is what they've been doing, which was follow-up ransomware activity, for example.

Dave Bittner: Yeah, that's fascinating. It makes me think about how, you know, as a kid, you can get chicken pox and then, you know, not have it for for the rest of your life, but some people, as adults, get shingles. You know, it could it's lurking in your system and it may be benign, hopefully, for the rest of your life, but I suppose who knows, right?

Mark Arena: Yeah, definitely. And I think that's, going forward, super interesting to have the US military basically going after a criminal group, a cybercriminal group. I guess the damage, the economic damage of these attacks has reached a level. You know, if you make enough if you target a country enough and you take enough money from them, at some point, it's a national security risk. And I'm guessing US Cyber Command, you know, coming up into the US election, saw that. And I'm hoping it's something that goes forward in future, because I think the impact of cybercrime on the economies of Western countries is huge and only getting worse.

Dave Bittner: So, moving on, then in October, Microsoft joins in and they take their own action against Trickbot. What is it that they did?

Mark Arena: Yeah, so their focus was very much on that infrastructure themselves. So those MikroTik routers that the criminals had compromised, they were looking to get those taken down. They did court action within the US to take over, like, physically take over the infrastructure or kill the IP addresses in the US. At the start, I'd say it was a slow start – like it didn't really impact the criminals too much – but I think as it kind of went in and it was pretty clear that they were going pretty hard resources-wise globally, and a couple of weeks into it, as it led up to the election, they were definitely disrupting the cybercriminals running Trickbot. And I think the number one goal for everybody when it comes to cybercrime should be arrests and law enforcement action. If you can't do that – I think it's likely that these actors are protected in Russia by the Russian government – so I think this is the next best thing. And I think for that period of time leading up to the election, I think eventually they were successful in disrupting their Trickbot operations.

Dave Bittner: Now, this notion that US Cyber Command and Microsoft were operating independently and coincidentally came after the same thing right around the same time – does that seem plausible to you?

Mark Arena: Uh, (laughs) it's a hard question to answer, because I've been told by multiple people that it wasn't coordinated. But I mean, it's a massive coincidence if it wasn't.

Dave Bittner: Right. Right.

Mark Arena: So I – you know, I've got no information that would say that it was coordinated at all.

Dave Bittner: Yeah, yeah. It's – but it is an interesting coincidence at the same time.

Mark Arena: Definitely. Yes.

Dave Bittner: (Laughs) Yeah. Well, where do we find ourselves today then? What's the state of Trickbot?

Mark Arena: Yeah, I think that as a result they've made some changes to make it harder to track them. You know, nothing that's not insurmountable or anything, but they have made some technical changes. Almost – I would say it's almost, if not back to business as usual for them. Like I said, I think there was a huge amount of resources from the Microsoft side. Maybe you can get them to comment, but I think maybe it was a huge amount that couldn't be kept up, but it was kept up until the elections, the US presidential elections. But yeah, from our perspective, it looks like it's close to, if not at, business as usual for the Trickbot operators.

Dave Bittner: It's interesting, as you kind of mentioned, you know, to think about this as a demonstration of capabilities on the good guys' side. You know, leading up to the election, to say, you know, here's what we can do in a very sort of public way.

Mark Arena: Yeah, I mean, I think it was, like I said, I think they could probably do more, and I think it was definitely like a shot across the bow. Whether they receive it or not, I'm not sure. I mean, the reality is that they're safe where they are currently, like, they're physically safe. Unless there's a policy change on the Russian-government level, which is unlikely to happen any time soon...

Dave Bittner: Right.

Mark Arena: ...There's certain limits on what we can do. But like I said, back to my original thing, I think the damage, the economic damage, that what they're leading towards, especially with the ransomware-type attacks to all different organizations of all sizes – if you hit an economy hard enough and the impact is big enough, I think you're a national security risk, and at that point, I think gloves are off and I think it's heading that direction.

Dave Bittner: Our thanks to Mark Arena from Intel 471 for joining us. The research is titled, "Trickbot down, but is it out?" We'll have a link in the show notes.

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.