TrickBot is Dead. Long Live TrickBot! Support How can we help? Support for Home ProductsSupport for Business Products My Account Your Account Log in to your Bitdefender account and manage security for what matters. Bitdefender CentralGravityZone CLOUD Control Center For Home For Business For Partners Company Labs Support My Account Security plans Premium Security Complete protection and unlimited VPN for 10 users. Total Security Most Popular Complete protection for 5 or 10 devices. Limited VPN. Internet Security Windows only security with limited VPN. Antivirus Plus for Windows Basic protection for Windows only. Antivirus for Mac Basic protection for Mac only. Bitdefender Premium VPN Ultra-fast VPN that keeps your online identity and activities safe from hackers, ISP's and snoops. See all security plans For existing customers Renewal & Upgrade Support Trial & free products Security plan trials Antivirus Free See all Bitdefender Premium services All Solutions PC Mac Mobile Multiplatform PRODUCTS Bitdefender BOX Internet of Things Bitdefender Premium Security Bitdefender Small Office Security Bitdefender Total Security Bitdefender Internet Security Bitdefender Antivirus Plus Bitdefender Family Pack Already a customer? Renewal & Upgrade Get Support Join the community! SERVICES Bitdefender Digital Identity Protection New Bitdefender Premium VPN Bitdefender Home Network Support Bitdefender Computer Tune-Up Bitdefender VIP Support Premium Services Live Support offered by certified experts TOOLBOX Free Tools Antivirus Free Home Scanner Compare Solutions Trial Downloads Log in to Central Free Tools PRODUCTS Bitdefender BOX Internet of Things Bitdefender Premium Security Bitdefender Small Office Security Bitdefender Total Security Bitdefender Family Pack Bitdefender Antivirus for Mac Already a customer? Renewal & Upgrade Get Support Join the community! SERVICES Bitdefender Digital Identity Protection New Bitdefender Premium VPN Premium Services Live Support offered by certified experts TOOLBOX Free Tools Virus Scanner for Mac Compare Solutions Trial Downloads Log in to Central Free Tools PRODUCTS Bitdefender BOX Internet of Things Bitdefender Premium Security Bitdefender Small Office Security Bitdefender Total Security Bitdefender Mobile Security for Android Bitdefender Mobile Security for iOS Already a customer? Renewal & Upgrade Get Support Join the community! SERVICES Bitdefender Digital Identity Protection New Bitdefender Premium VPN Premium Services Live Support offered by certified experts TOOLBOX Free Tools Antivirus Free for Android Compare Solutions Trial Downloads Log in to Central Free Tools PRODUCTS Bitdefender BOX Internet of Things Bitdefender Premium Security Bitdefender Small Office Security Bitdefender Total Security Bitdefender Family Pack Already a customer? Renewal & Upgrade Get Support Join the community! SERVICES Bitdefender Digital Identity Protection New Bitdefender Premium VPN Premium Services Live Support offered by certified experts TOOLBOX Free Tools Antivirus Free Compare Solutions Trial Downloads Log in to Central Free Tools Solutions Overview Products Solutions & Services Threat Research Why Bitdefender MID-MARKET & ENTERPRISE GravityZone Elite Prevention, Hardening, Risk, and Incident Analytics Endpoint Detection and Response Advanced attack visibility with guided investigation GravityZone Ultra Integrated Prevention, EDR and Risk Analytics Managed Detection and Response SOC-Driven, Security-Focused Outcomes SMALL BUSINESS GravityZone Advanced Business Security Next-Gen AV for All Infrastructures GravityZone Business Security Next-Gen AV for Small Businesses SPECIALTY & ADD-ON GravityZone Security for Virtualized Environments Protection for Virtual Servers and Desktops GravityZone Email Security Cloud-based Email Security GravityZone Security for Containers Purpose-built Container and Linux security MANAGED SERVICE PROVIDERS GravityZone Cloud MSP Security Advanced MSP Security Suite Security for AWS Optimized protection for AWS GRAVITYZONE PLATFORM Solutions Overview Compare Products Online deals Renew & Upgrade Try for free Switching from Symantec? ALL PRODUCTS Full list Solutions Overview Compare Products Contact Log in to GravityZone Find a Partner All Products (A-Z) SOLUTIONS Next-Gen Endpoint Security Small & Medium Businesses Secure Software-Defined Datacenter Secure Hyperconverged Infrastructure Datacenter Revolution and Security SECURITY SERVICES Managed Detection and Response Advanced Threat Intelligence SUPPORT & PROFESSIONAL SERVICES Enterprise Standard Support Enterprise Premium Support Professional Services SPECIFIC USECASES Service Providers Healthcare GDPR Compliance Solutions Overview Compare Products Contact Log in to GravityZone Find a Partner All Products (A-Z) LATEST NEWS Analysis from Bitdefender Labs New Events and Webinars Threat Map RESEARCH Threat Research Papers Annual Threat Report TOOLS Free Security Tools Solutions Overview Compare Products Contact Log in to GravityZone Find a Partner All Products (A-Z) AT A GLANCE Awards & Certifications Technology Alliances OEM Partnerships Business Insights Blog RESOURCES Webinars Case Studies White papers Resource Library INNOVATION & TECHNOLOGIES Anti-ransomware Advanced Threat Protection Hypervisor Introspection Browser Isolation Solutions Overview Compare Products Contact Log in to GravityZone Find a Partner All Products (A-Z) RESELLER PARTNERS Reselling Partner Program Overview Become a Reseller Find a Reseller Log in to PAN Portal SERVICE PROVIDERS MSP Partner Program Overview Become an MSP Partner Find an MSP Partner Log in to PAN Portal TECHNOLOGY LICENSING SOLUTIONS OEM Technology Solutions Advanced Threat Intelligence Endpoint Protection SDKs Gateway Protection SDKs LICENSING OPTIONS SDK Integration Rebranding Bundling CONNECTED HOME PARTNERS IoT Security Platform ABOUT US Overview Management Security Experts Awards & Certifications Customers Analyst Relations Careers NEWS Blogs Media Relations Latest News RESOURCES Research Industry reports White Papers Threat Map Support for Home ProductsSupport for Business Products Log in to your Bitdefender account and manage security for what matters. Bitdefender CentralGravityZone CLOUD Control Center Consumer Insights Labs Business Insights 0 Anti-Malware Research 4 min read TrickBot is Dead. Long Live TrickBot! Liviu ARSENERadu TUDORICA November 23, 2020 TrickBot still crawls despite law enforcement kneecapping operation. It’s operators are scrambling to restore the botnet back to its former glory, Bitdefender researchers have found. An analysis of samples reveals updated communication mechanisms, new C2 infrastructure that uses Mikrotik routers, and packed modules TrickBot has arguably been one of the most popular Trojans for the past couple of years, used by threat actors mostly because of its modular design and highly resilient infrastructure. Bitdefender researchers even analyzed one of its modules earlier this year, particularly because it targeted telecom, education, and financial services in the US and Hong Kong. However, when Microsoft decided to take down TrickBot before the US elections, fearing the massive botnet could be used to thwart the voting process in some way, the endeavor proved to be more like a “kneecapping” operation rather than cutting the hydra’s heads. This was likely a short-term tactic, potentially just to make sure that TrickBot wouldn’t cause any issues during the elections. Key Findings: Mikrotik routers used as C&C servers Version update responses are digitally signed with bcrypt for some Plugin sever list no longer contains hidden services The group behind TrickBot seems to have actively pushed new versions of the Trojan and maintained the full list of modules used in previous versions. However, in the recently analyzed samples, it seems that the shareDll – or mshareDll in its packed version – was no longer present. In fact, now there’s only the shareDll, which is packed, with mshareDll completely removed. This probably indicates that TrickBot operators are moving away from unpacked modules, cleaning up their list of lateral movement modules to only use packed ones. Versioning Before Trickbot’s takedown, the latest known version was 1000513, from August 19, 2020. However, on November 3rd, we found the new “2000016” version that seems to feature all the improvements mentioned above. TrickBot operators seem to have then settled on going back to the original format, but resetting the versioning. Consequently, the latest version we’ve found is now “100003”, available from November 18. C&C infrastructure In terms of communication between victims and C&Cs, TrickBot update responses seem to have been digitally signed using bcrypt, potentially in an effort to impede future takedowns. This particular improvement ensures that each new update for TrickBot is legitimate. This particular behavior was observed for the 2000016 version, but not for the 100003 version. The C&C servers for the “100003” version seem to involve only the use of Mikrotik routers: IP   COUNTRY  103.131.157.161   BD  103.52.47.20   ID  102.164.206.129   ZA  103.131.156.21   BD  103.150.68.124   Not found  103.30.85.157   ID  103.131.157.102   BD  103.146.232.5   Not found  103.156.126.232   Not found  Another interesting change is that, among the updated C&C sever list, there’s also an EmerDNS domain used as a backup in case no known C&C server responds. What’s interesting about this particular domain is that the EmerCoin key (EeZbyqoTUrr4TpnBk67iApX2Wj3uFbACbr) used to administer the server, also administers some C&C servers that belong to the Bazar backdoor. The analyzed sample (82e2de0b3b9910fd7f8f88c5c39ef352) uses the morganfreeman.bazar domain, which has the 81.91.234.196 IP address and running  Mikrotik v6.40.4. Plugin server configuration There are also some major differences between the lists of plugin server configurations, as seen below: Fig. 1 – Previous versions of TrickBot plugin server configurations Fig. 2 – New versions of TrickBot plugin server configurations IP  COUNTRY 156.96.62.82  US 62.108.34.45  DE 185.234.72.248  DE 195.123.241.206  US 194.5.249.216  RO 195.123.240.238  US 46.21.153.247  US 195.123.241.207  US 156.96.119.28  US TrickBot operators have apparently eliminated the Tor plugin services and have added the new tags, which seem to be obfuscated IPs, a technique also used by the Bazar backdoor. Although these look like legitimate IP address, they’re not. The tag appears to only be used for C&C servers, a number that seems to have been reduced considerably compared to previous TrickBot versions. Victims of the new version Based our own telemetry, the most reports from systems that have encountered this new version of TrickBot seem to involve connections from Malaysia, followed by the United States, Romania, Russia and Malta. Conclusions Completely dismantling TrickBot has proven more than difficult, and similar operations in the past against popular Trojans has proven that the cybercriminal community will always push to bring back into operation something that’s profitable, versatile and popular. TrickBot might have suffered a serious blow, but its operators seem to be scrambling to bring it back, potentially more resilient and difficult to extirpate than ever before. tags Anti-Malware Research Author Liviu ARSENE Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past few years. View all posts Radu TUDORICA I'm a security researcher at Bitdefender. Passionate about malware research, APTs, and cybercrime investigations, I love reverse engineering and taking hardware apart and putting it back together. View all posts Right now Top posts Miscellaneous A Note from the Bitdefender Labs Team on Ransomware and Decryptors May 26, 2021 2 min read Anti-Malware Research Whitepapers New Nebulae Backdoor Linked with the NAIKON Group April 28, 2021 1 min read Anti-Malware Research Free Tools Good riddance, GandCrab! We’re still fixing the mess you left behind. June 17, 2019 5 min read FOLLOW US ON SOCIAL MEDIA You might also like Anti-Malware Research LuminousMoth – PlugX, File Exfiltration and Persistence Revisited Bogdan BOTEZATUVictor VRABIE July 21, 2021 9 min read Anti-Malware Research Debugging MosaicLoader, One Step at a Time Janos Gergo SZELESBogdan BOTEZATU July 20, 2021 1 min read Anti-Malware Research Trickbot Activity Increases; new VNC Module On the Radar Bogdan BOTEZATURadu TUDORICA July 12, 2021 1 min read Bookmarks © 2021 Bitdefender. All Rights Reserved