What is TrickBot?
TrickBot is one of the longest-lived botnets on the internet and represents a major threat to businesses and other organizations because it serves as a distribution platform for the infamous Ryuk ransomware and other threat actors. In October, Microsoft together with several partners launched a coordinated action to disrupt the botnet’s command-and-control (C2) infrastructure, and while the battle for control of the botnet is ongoing, the TrickBot gang already has a backup plan in place: an even stealthier crimeware tool they’ve been developing since earlier this year.
“TrickBot has infected over a million computing devices around the world since late 2016,” Microsoft said when announcing the TrickBot takedown operation. “While the exact identity of the operators is unknown, research suggests they serve both nation-states and criminal networks for a variety of objectives.”
TrickBot’s evolution
TrickBot, also known as TrickLoader, started out as a Trojan program focused on stealing online banking credentials and piggybacking browsing sessions to initiate fraudulent transfers directly from victims’ computers. It is considered the successor of the Dyre or Dyreza Trojan, which itself spun off from the GameOver Zeus operation and the larger cybercrime group behind it known as the Business Club. The rise of banking Trojans over the past decade gave birth to the crimeware-as-a-service model that powers today’s cybercrime economy. TrickBot is a prime example of that development.