Microsoft takes down world’s most notorious botnet and ransomware network Trickbot ahead of U.S. elections

Trickbot is one of the world’s most infamous botnets and prolific distributors of ransomware. Trickbot is used by cybercriminals for sending fake emails designed to look like notifications. Developed in 2016, TrickBot is one of the more recent banking Trojans, with many of its original features inspired by Dyreza (another banking Trojan).

Trickbot has been used to spread false and malicious emails containing malware that attempted to lure victims in by referencing Black Lives Matter and Covid-19. Trickbot has infected over a million computing devices around the world since late 2016. While the exact identity of the operators is unknown, research suggests they serve both nation-states and criminal networks for a variety of objectives.

For the first time, Windows users can now breathe a sigh of relief. Today, Microsoft announced that it has taken down Trickbot ahead of U.S. elections. According to Microsoft, the Trickbot network had the potential to disrupt the ongoing US elections. Through a federal court order, Microsoft was able to work with various Internet Service Providers in the US to turn off Trickbot servers’ IP range.

“We disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world. We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.

In addition to protecting election infrastructure from ransomware attacks, today’s action will protect a wide range of organizations including financial services institutions, government agencies, healthcare facilities, businesses and universities from the various malware infections Trickbot enabled.”

Trojan.TrickBot is a banking Trojan targeting Windows machines. Besides targeting a wide array of international banks via its webinjects, Trickbot can also steal from Bitcoin wallets. Some of its capabilities include harvesting emails and credentials using the Mimikatz tool.

“In the course of Microsoft’s investigation into Trickbot, we analyzed approximately 61,000 samples of Trickbot malware. What makes it so dangerous is that it has modular capabilities that constantly evolve, infecting victims for the operators’ purposes through a “malware-as-a-service” model. Its operators could provide their customers access to infected machines and offer them a delivery mechanism for many forms of malware, including ransomware. Beyond infecting end user computers, Trickbot has also infected a number of “Internet of Things” devices, such as routers, which has extended Trickbot’s reach into households and organizations.”

In the meantime, Trickbot has put up its domain name Trickbot.com for sale for $3,195.