Microsoft takes down botnet threatening US elections

Microsoft has disrupted Trickbot, dealing a big blow to attempted cyberattacks in November.
12 October 2020

Trickbot: out for the count? Source: Shutterstock

  • Ransomware and cyber attacks are one of the biggest threats to the US elections in November
  • Microsoft and other technology partners have dismantled one of the biggest botnets, which could significantly hinder the threat

Cyberattacks are one of the biggest threats to the upcoming US presidential elections. Adversaries can use ransomware to infect computer systems used to maintain voter rolls or report on election-night results, seizing systems at the most opportune time to sow chaos and distrust, which could ultimately undermine a credible result. 

Today (October 12), tech giant Microsoft alongside a number of other tech companies has announced a preemptive strike, dismantling key infrastructure supporting one of the world’s most dangerous botnets. 

According to an announcement by Microsoft, the consortium — which includes telecommunications providers from multiple countries — obtained a federal court order to disrupt Trickbot, meaning those operating the network of infected computers will no longer be able to initiate new infections or activate ransomware dropped into computer systems.

Trickbot operators are expected to begin losing communications with millions of computers that had been infected over months or even years. 

By disrupting Trickbot now, Microsoft and others believe they will head off any threat it poses to the US elections in November. However, the firm “fully anticipates” that Trickbot’s operators will attempt to revive operations. 

“In addition to protecting election infrastructure from ransomware attacks, today’s action will protect a wide range of organizations including financial services institutions, government agencies, healthcare facilities, businesses, and universities from the various malware infections Trickbot enabled,” said Tom Burt, Microsoft’s corporate vice president, customer security & trust. 

What is Trickbot? 

Trickbot is an established banking trojan designed to access online accounts in order to obtain personal data. However, it’s also used to infiltrate networks to deploy other malware, including ransomware and post-exploitation toolkits — it can download new capabilities onto a victim’s device, and update those it’s already deployed.

Trickbot has infected over a million computing devices around the world since late 2016, including IoT devices, such as routers. While the exact identity of the operators is unknown, research suggests they serve both nation-states and criminal networks for a variety of objectives. The trojan is delivered through elaborate phishing campaigns, which have been themed around topics such as Black Lives Matter and COVID-19, enticing people to click on malicious documents or links.

Microsoft’s investigation into Trickbot turned up approximately 61,000 samples of Trickbot malware: “What makes it so dangerous is that it has modular capabilities that constantly evolve, infecting victims for the operators’ purposes through a ‘malware-as-a-service’ model,” said Burt.

Operators could provide their customers — which could include ransomware groups — access to infected machines and offer them a delivery mechanism for many forms of malware. 

The takedown

To obtain a federal court order granting the request, Microsoft and its partners conducted an extensive investigation. This enabled them to identify the infrastructure Trickbot used to communicate with and control victim computers, the way infected computers “talk” with each other, and Trickbot’s mechanisms to evade detection and attempts to disrupt its operations. 

“As we observed the infected computers connect to and receive instructions from command and control servers, we were able to identify the precise IP addresses of those servers,” said Burt. 

With the evidence, the court granted approval for the tech companies to disable the IP addresses, block access to the content stored on the command and control servers, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers.