Trickbot On The Ropes: Microsoft's Case Against Trickbot

CyberCrime & Doing Time 2020-11-19

 Trickbot is having a truly bad time this month!  While as of today, Trickbot binaries are being delivered by Emotet, there is every sign that they are struggling.   Emotet's daily activities are best documented by a team of researchers using the collective identity "Cryptolaemus" and sharing news of IOCs and URLs on their website: https://paste.cryptolaemus.com/.  With no activity from October 6th to 12th, there was every indication a "change" was coming, and beginning on 14OCT2020, researchers such as our friends at @CofenseLabs and @Malware_Traffic are both reporting that Trickbot is now being delivered by the Emotet spam-sending botnet.  

This post examines Microsoft's case against Trickbot. However, there are also reports of U.S. Cyber Command taking a role in disrupting Trickbot, as reported by the Washington Post and security journalist Brian Krebs. In the "take-down" attempt, as described by Krebs, the bot began propagating to other bots that its new controller IP address should be "127.0.0.1:1" - which would result in the bot-infected computer stopping communication with the criminals.  There was also an attempt to flood the criminals with millions of fake "stolen credentials" hoping to confuse their ability to sort out "true victims."  As Krebs also reported, the fabulous Trickbot C&C tracker at FEODOTracker is reporting many live C&C addresses for Trickbot.  (Also see Trickbot On the Ropes Part 2: the QQAAZZ Money Laundering Ring.) 

The Microsoft Trickbot Case

On October 12, 2020, Microsoft announced "New action to combat ransomware ahead of U.S. election" describing Trickbot as malware that "has infected over a million computing devices around the world since late 2016." By filing a lawsuit in the U.S. District Court for the Eastern District of Virginia, Microsoft received permission for a Temporary Restraining Order (TRO).  The Digital Crimes Unit (much love, guys!) worked with the FS-ISAC, ESET, Symantec, the Microsoft Defender team, NTT, and Lumen's Black Lotus Lab and others to lay out their case. 

The legal documents surrounding the case are on the Microsoft website: NoticeOfPleadings.com/trickbot/

Microsoft and the FS-ISAC bring the case with a 60 page complaint, demonstrating harm to their respective customers in the Eastern District of Virginia, and demanding that "John Doe 1" and "John Doe 2" appear in court for a Jury Trial.

They charge them with violations of: 

  • The Copyright Act - 17 USC § § 101 
  • The Computer Fraud and Abuse Act 18 USC § 1030
  • The Electronic Communications Privacy Act 18 USC § 2701
  • Trademark Infringement under the Lanham Act 15 USC § 1114
  • False Designation of Origin under the Lanham Act 15 USC § 1125(a)
  • Trademark Dilution under the Lanham Act 15 USC § 1125(c) 
  • Common Law Trespasses to Chattels 
  • Unjust Enrichment 
  • and Conversion 
To do so, Microsoft asked the court to force hosting providers to suspend services and block and monitor traffic for the customers who were using particular IP addresses within their organizations.  The list included: 
  • Input Output Flood, LLC of Las Vegas, for IP addresses: 
    • 104.161.32[.]103, .105, .106, .109, and .118.
  • Hosting Solution Ltd (Hurricane Electric of Fremont, California) for IP address:
    •  104.193.252[.]221.
  • Nodes Direct Holdings of Jacksonville Florida for IP addresses: 
    • 107.155.137[.]7, .19, and .28,
    • 162.216.0[.]163, 
    • 23.239.84[.]132, .136
  • Virtual Machine Solutions, LLC of Los Angeles, California for IP addresses: 
    • 107.174.192[.]162 and 
    • 107.175.184[.]201
  • Hostkey USA of New York for IP address: 
    • 139.60.163[.]45 
  • Fastlink Network Inc, of Los Angelese for IP address: 
    • 156.96.46[.]27
  • Green Floid LLC for IP addresses: 
    • 195.123.241[.]13 and .55 
  • Twinservers Hosting of Nashua, New Hampshire for IP address: 
    • 162.247.155[.]165  

Each team made significant contributions to the effort, and most have published their own Trickbot blogs, which I link below, with regards to the case, their most important function was to provide professional analysis in the form of a Declaration in Support of Motion for TRO: 

  • Lyons is Jason Lyons, a Senior Manager of Investigations at the DCU Malware & Cloud Crimes Team.  Lyons, who served in the Cyber CounterIntelligence unit of the U.S. Army, provides 25 pages of testimony and ten "Exhibits." Part of his testimony included the proof of 25 million Gmail, 19 million Yahoo, 11 million Hotmail, 7 million AOL, 3.5 million MSN, and 2 million Yahoo.co.uk addresses known to have been targeted by Trickbot (based on reporting from Deep Instinct)
  • Finones is Rodelio Finones, a Senior Security Software Engineer and Malware Researcher at the Microsoft DCU. He provides a 21 page testimony of his own investigation into Trickbot, 
  • Thakur is Vikram Thakur, the Technical Director of Symantec Enterprise, where he has been a major rockstar for more than a dozen years!  He provides a 20 page testimony.
  • Garlow is Kevin Garlow, Lead Information Security Engineer at LUMEN (formerly CenturyLink). His testimony includes the fact that he has identified 502 distinct IP addresses that had acted as Trickbot controllers, but that 40 of them have remained online despite more than 30 abuse notifications and that 9 of them have been sent more than 100 such notifications.  He states that "We confirmed 55 new Trickbot controller IPs in September 2020 and 99 new Trickbot controller IPs in August."  It is these long-lived "bullet-proof" controllers that Microsoft is targeting.  It is also likely that revealing whoever is paying the bills for those long-lived services may be a path to identifying John Doe 1 and John Doe 2.  Garlow's testimony that he has sent so many notices for take-down which have been ignored is a powerful part of this package!
  • Silberstein is Steven Silberstein, the CEO of the FS-ISAC.  He provides testimony to more than 500 fraud attempts against FS-ISAC member institutions over an 18 month period, with $7 Million in attempted fraud.  One FS-ISAC member had dozens of attempts in a two week period with an average fraud attempt of $268,000!  
  • Ghaffari is Kayvan M. Ghaffari, an attorney with Crowell & Moring LLP for Microsoft and the FS-ISAC.  His testimony calls out the particular web hosting companies that were hosting the machines targeted by the TRO, including Colocrossing, IOFlood, HostKey, VDI-Network, ENET-2, and King Servers, pointing out that all of these organizations have Terms of Service which are clearly violated by the Trickbot controllers.  He then attaches as exhibits more than 650 pages of similar cases and the related court documents from them.
  • Boutin is Jean-Ian Boutin, the Head of Threat Research, calls Trickbot "one of the most prolific and frequently encountered types of malware on the Internet."

Related TrickBot Blogs

ESET analyzed 125,000 malware samples and downloaded and decrypted 40,000 configuration files used by Trickbot modules, helping to map out the C&C servers by the botnet. While Trickbot can drop many "modules" these are not one-size-fits-all.  Trickbot modules were sometimes dropped in phases after an initial assessment of the network on which the bot found itself, and other times varies by the "gtag" -- the unique label used to sign the infection, thought to be related to affiliates who paid the Trickbot operators.

gtag timeline by ESET Lumen's Black Lotus provided C2 timelines, demonstrating which IP addresses in which countries were active in which timeframes.  Indonesia, for example, hosted active C2 servers on 1,362 days!  Colombia and Ecuador, which by their count were #2 and #3 had only 652 and 637 C2 days by comparison.  They shared 95 C2 addresses in their recent Look Inside the Trickbot Botnet blog post. Many of these IP addresses are also called out in Lyons testimony as Exhibit 2.

5.152.210[.]18845.89.127[.]2796.9.77[.]56129.232.133[.]39185.172.129[.]100194.87.236[.]1715.182.210[.]22451.77.112[.]252103.111.83[.]246131.161.253[.]190185.234.72[.]114195.123.238[.]835.182.211[.]12451.83.196[.]234103.12.161[.]194139.60.163[.]45185.234.72[.]35195.123.239[.]1935.182.211[.]13851.89.215[.]186103.196.211[.]120156.96.46[.]27185.236.202[.]249195.123.240[.]1827.147.173[.]22762.108[.]35.9103.221.254[.]102158.181.155[.]153185.25.51[.]139195.123.240[.]9336.66.218[.]11780.210.32[.]67103.36.48[.]103176.31.28[.]85185.99.2[.]106195.123.241[.]22436.89.182[.]22583.220.171[.]175103.76.169[.]213177.190.69[.]162185.99.2[.]115195.123.241[.]22936.89.243[.]24185.204.116[.]117104.161.32[.]108179.127.88[.]41186.159.8[.]218195.161.62[.]2536.91.45[.]1089.249.65[.]53104.161.32[.]118180.211.170[.]214190.136.178[.]52200.116.159[.]18336.91.87[.]22791.200.100[.]71107.155.137[.]15181.112.157[.]42190.145.83[.]98200.116.232[.]18636.94.33[.]10291.200.103[.]236110.93.15[.]98181.129.104[.]139190.152.182[.]150200.171.101[.]16945.127[.]222.892.38.135[.]61112.109.19[.]178181.129.134[.]18190.214.28[.]74200.29.119[.]7145.138.158[.]3392.62.65[.]163117.252.214[.]138181.143.186[.]42190.99.97[.]42201.231.85[.]5045.148.10[.]17493.189.42[.]225121.100.19[.]18182.253.113[.]67192.3.246[.]216212.22.70[.]5945.66.10[.]2296.9.73[.]73121.101.185[.]130185.14.30[.]247194.5.249[.]214220.247.174[.]1245.89.125[.]14896.9.77[.]142122.50.6[.]122185.142.99[.]94194.5.249[.]215

Symantec's blog post "Trickbot: U.S. Court Order Hits Botnet's Infrastructure" has a great infographic about "How Trickbot Works": 

Microsoft on Trickbot's use of Covid-19 Lures

Microsoft is in a unique position to take action against malware, having visibility to so much malware-related traffic from browser telemetry, Microsoft Defender reports, and Office365 scans.  In the past year, they have evaluated 6 Trillion messages and blocked 13 Billion malicious emails that used 1.6 Billion URLs to try to infect the email recipients!

Microsoft's Digital Defense Report 2020 points out that Trickbot began using COVID-19 spam lures on March 3, 2020, and went on to become the most prominent spam botnet using COVID-19 themes.

From MS Digital Defense Report 2020 

We've long argued that if the lure is timely and controversial, people will click on it.  That seems to be the case even today as ProofPoint's @ThreatInsight has pointed out, documenting that a recent malware campaign, first seen October 6, 2020, is using President Trump's diagnosis as a lure to infect people with additional malware, using the subject line "Recent material about the president's situation" and the promise of additional details in a password-protected email attachment.