Trickbot is Down But Not Out

Posted: 9th November 2020

On today’s podcast episode we welcome back Recorded Future’s senior intelligence analyst Greg Lesnewich.

He shares his insights on what goes on behind the scenes with the Recorded Future’s Insikt Group, and why he finds the work challenging and rewarding. Then, we discuss the latest on the Trickbot global botnet, how they operate, who they target, and the efforts by the intelligence community and private industry to take them down, or at the very least hinder their efforts.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 183 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.

On today’s podcast episode we welcome back Recorded Future’s senior intelligence analyst Greg Lesnewich. He shares his insights on what goes on behind the scenes with the Recorded Future’s Insikt Group, and why he finds the work challenging and rewarding. Then, we discuss the latest on the Trickbot global botnet, how they operate, who they target, and the efforts by the intelligence community and private industry to take them down, or at the very least hinder their efforts.

Greg Lesnewich:

So, I tend to handle discovery and tracking of adversary infrastructure and malware deployments. So, the technical side of the diamond model of tracking the APTs and crime actors and things like that.

Dave Bittner:

I mean, can you give us some insights, when you talk about discovery, what goes into that behind the scenes? Is it a technical endeavor? Are you using intelligence that's coming in from multiple sources that you have access to at Recorded Future? What's the mix there?

Greg Lesnewich:

So that's a very interesting question, because it hits the nail on the head of the reason that I got into this field, and in particular into threat research. So many companies put out this great research all the time about new or updated threats, like ESET, FireEye, Kaspersky, CrowdStrike, all these companies, including our own. One of the things that bothered me when I read the original Equation Group report was how do they know all of this?

It has extrapolated from there to say some of it is very technical. So, we do a few exercises where we'll model a few things that other companies have put out or that we've put out from a certain threat actor, certain patterns. In particular for me for infrastructure, whether it's a hosting provider, a domain registrar, places like that, or techniques that they've used in their files, or types of victims that they target and the malicious documents that they use for those things, and pivoting off of that and going and looking in those places.

So sometimes it's trying to enumerate every IP address on a suspicious hosting provider, and seeing if any of those are linked to largely unknown malware families, or are hosting something suspicious. Sometimes that is as simple as looking for key words inside of a malicious Word document, something to the effect of ... For espionage purposes, anything that mentions an embassy or a ministry of foreign affairs, and also has macros embedded in it, is going to rise to the top.

So I think anywhere in a SOC, you have these broad detection rules that make a lot of noise that require some hand sifting in terms of finding new document lures and things like that. Then once we find one interesting, we go through the process of trying to download the secondary payload and things like that, to then try and do discovery on the campaign.

So, it is the manual effort versus the more automated efforts of, once you know something you can put a little bit more scripting and automation behind surfacing things like it, and getting alerts or whatever when new things like it pop up. It's pretty fun. It took a lot of listening to old conference talks, talking to industry peers and things like that and realizing, oh, okay, there isn't a magic bullet for finding things, it's just you’ve got to go look, and sometimes looking takes a long time.

Dave Bittner:

Yeah, I mean, I think it's easy to joke and say that's the glamorous part of the business. That dogged determination to see something all the way through, to have a hunch and track it down. But I would imagine that the more you do this, you start to have pretty good instincts as well.

Greg Lesnewich:

Yeah, one of the things that we talk about a lot when training either our clients or teams internally is that pattern recognition only occurs after a few thousand reps or a few thousand hours of seeing something. So something that stands out to our very seasoned, very talented reverse engineers, say as they're looking through a malicious file, might not stand out to the average person. But the average person that wants to get into this can most of the time put a link between, okay, this is a suspicious looking file that has an Adobe PDF icon, but is actually an executable.

So, I think starting at that broad level and things that are easy to spot as two things that don't necessarily belong together is really helpful to start. It's where many of us start that don't have a computer science or engineering background, that's where many of us start and you just get deeper and deeper from there. The more I speak on this, it sounds like I should write a manifesto of the levels to it, but even I don't fully understand how deep or how wide discovery efforts go across our industry.

Dave Bittner:

Yeah, but I suppose part of what makes your job interesting is that you're never running out of new things to learn and new places and ways to explore.

Greg Lesnewich:

That's absolutely true. Sometimes that takes you back to square one or zero. Trying to learn a programming language, to then understand how it can get used maliciously can be some work, or same thing with learning a protocol or even more basic analysis or common industry tools, but it always seems to be worth it. Yeah, I think that's the thing that keeps me hooked on it is both the detective allure of finding something that no one else has found before, as well as the fact that you have to keep learning everyday on the job.

Dave Bittner:

Well, before we get into some of the specific topics we're going to talk about today, I mean, one more thing that I'm curious about, which is you mentioned, you alluded to those of us who don't have computer science degrees. I think that's a really good point for some of the folks who may be listening who are either considering a career in cybersecurity or on their way in the midst of their studies, certainly now more than ever that's not a prerequisite.

Greg Lesnewich:

Indeed. For those listening, my first job after college was a butcher and then I worked construction and swung a hammer for eight to 12 hours a day. There are always carry-over skills from other industries or other degrees that you can get. For the International Affairs students out there or International Affairs graduates, whether it's the language that you learned or understanding how countries want to interact with each other, those skills are valuable in this field.

If you want to get technical, all the effort that you took to learning those International Affairs things doesn't mean that you can't then apply that ability to learn more technical, hardened skills. Obviously, you have to balance having a day job and a role to fulfill with doing that, but you can put your mind to it and get after it.

The last thing I'll say on that is that the singular maybe benefit of the COVID pandemic has been there is so much additional conference and learning material on YouTube and the internet now, that you can find an intro or a 201 course to almost anything online. Especially computers, whether it's threat intelligence or reverse engineering or analysis-related. So yeah, the building blocks are out there if people want to go look for them.

Dave Bittner:

Well, let's talk about some specific things that you and your team have been working on lately. Let's start off by talking about TrickBot, and there's been some recent takedown efforts there. Can we just back up a little bit, can you give us a little overview on what we're talking about with TrickBot here?

Greg Lesnewich:

Sure. So, TrickBot can sometimes be a misnomer in our industry for a banking Trojan. It is so much more than that. It is a malware that can get loaded either via other means, whether that's its own spam or via Emotet spam that then deploys TrickBot. It comes with a number, or can download rather, a number of modules that allow it to then go from being just a backdoor vector into the infected host, to then being able to move laterally, infect other hosts on the network, send spam to other unconnected hosts and things like that.

The actors behind it have been linked to developing a post exploitation tool called PowerTrick and two additional, I'll call them broadly malware families, one that's referred to as Anchor and one that's referred to as BazarLoader and Backdoor. FireEye calls the most prominent versions of those KEGTAP and BEERBOT. To the average listener, all of the Bazar and KEGTAP things lump together.

The interesting thing about all this development is that they've shifted over time from really focusing on compromising victims by gathering banking credentials, and then stealing that information to add to their own cashout payment, to really developing tools to either sell access to ransomware actors or deploy some of their own pre-built tooling to monetize the infections themselves, allegedly. I'm not in the room with these actors and I don't know that the developers are the ones pushing the buttons, but what they've effectively done is created some pretty potent first stages of infection tooling.

Recently, that whole Bazar family has been linked to a pretty nasty set of intrusions targeting hospitals that have used then a fairly unique version of Cobalt Strike, at least on the server side, to then move laterally throughout a network, use a litany of open source tooling to get access to the main controller and deploy ransomware, Ryuk specifically, across victim environments.

It has taken our industry by storm. I'm sure a lot of people have seen, whether it's news articles or threat research coming out about it. My friend Kimberly Goody and her team at FireEye put out a really awesome blog about a start to finish intrusion and all the tools that those actors will use to deploy ransomware. I think it's a nice moment of our industry coming together, despite the horrible things that are happening, to draw a heavy line and say, "Hey, this is not okay."

I think everyone in the industry responds to intrusions, including ransomware, pretty regularly, but the targeting of human life is something that I think we all see as off-limits, especially during a pandemic. Add to that the attention and pandemonium that's come along with this election season, obviously doesn't have anyone feeling relaxed right now. So add to this, this wretched campaign against hospitals linked to the TrickBot authors has everyone pretty on edge and upset with them right now. But I think everyone's going above and beyond to try and fort these guys from getting into networks.

Dave Bittner:

So, what have the efforts been to take TrickBot down and how have the people running that botnet responded?

Greg Lesnewich:

One of the things that I want to get ahead of too, is that our data suggests that this Ryuk campaign is not in response to TrickBot takedown efforts. We saw domains being registered in August for this campaign, certificates and servers being stood up a couple days prior to the first TrickBot disruption. Now, I think it's a little silly to say that they're not related. If you're preparing to, I guess, engage with someone and they wreck your car or something like that, you're going to be more aggressive, I would imagine, but I don't think it's one-to-one TrickBot takedowns led to this.

The first of these, a U.S. government entity is alleged, I don't know if anyone from that area or that entity is confirmed, but they pushed, in a very clever way, pushed fake configuration updates to TrickBot victims effectively cutting them off from the botnet. I think it's been a little bit undersold how cool that is. They knew enough about how this malware operated and functioned. They're a government entity, they have the legal right to do this, compromise at least some portion of their network and their infrastructure to then push these fake updates to effectively poison their implants.

It's funny calling it a takedown attempt, because what it really did is it severed ongoing intrusions. Which to me is a little bit more effective if you have a day to do something, because taking down a botnet we've seen over time is really, really tricky. Cutting off current infections and buying those victims some time, who knows how many more ransomware incidents we'd be looking at in late October, early November had that not occurred. I think that that occurred on September 22nd.

In the next couple of weeks after that, Microsoft put out legal proceedings, that they basically went to a judge and got the rights to seize TrickBot command and control servers. Initially, this was just in the U.S., but Microsoft's lawyers seemed pretty good and they were able to lead what was an industry coalition with Lumen and ESET and Symantec, and I think FS-ISAC was also involved, to push all of that, identify TrickBot's both tier one and plugin infrastructures, which are the initial communication and customer management infrastructure, and then the secondary infection management infrastructure to add plugins, move laterally, et cetera.

They were able to seize roughly 96 percent of the botnet's command and control servers, which turns out to be a pretty limited number compared to older or bigger botnets. Which again, they did this on a pretty interesting legal reasoning, in that the TrickBot authors had abused Microsoft trademarks in their code. Which is pretty unique, and it seems to be a clever legal way of being able to action against these actors.

Again, I know that some in our industry have said that this effort hasn't been effective, I would argue that it has. I don't think that Microsoft and ESET and these other companies have sat around and said, "Let's try this," I think that it's a calculated move. So in the wake of that, obviously that probably meant a number of ... Their command and control infrastructure is messed up for lack of a better term, and it probably meant a loss of a number of infections.

So from that, we've seen the botnet try and battle back. Microsoft themselves stated that they don't expect the botnet to just disappear, they expect a fight. So, we've seen TrickBot revert back to a command and control infrastructure that wasn't taken down and they've created more infrastructure, but they're pushing it out at a much slower rate than they were before when they've been trying to spread and get new infections since this, predominantly through Emotet spam, they have ... Emotet is another very, very large botnet, one of the most prolific spam centers in the world. They sell access as a service. In a lot of instances, since the TrickBot take takedown efforts began, Emotet has been observed dropping TrickBot.

Historically, there have been anywhere from 30 to 40 servers embedded into TrickBot's configuration. So, it's an encrypted file that TrickBot reads once it executes on a victim host and then tries to connect to one after another to see if any are online. Then once they're online, they get instructions from there and then go about their evil business.

What's changed is as a number of those servers have been taken offline, the amount of servers that we've seen included in every configuration has dropped significantly. I think it dropped to a minimum of around 12 servers and then jumped back up to around 16 the last time that I checked, which was about two days ago. What's interesting about including all those servers is that it does tip to us, they at least think that they have some amount of control left on those servers.

They've played a little bit with the protocol that they use to communicate, instead of traditional servers, they've used a Tor Onion site. So, the alleged dark web. A server not accessible via normal web browser, but requires using a Tor browser or a Tor-based connection to connect to it, using that as a fallback command and control channel. So, it's been pretty interesting watching them scramble to piecemeal their botnet back together.

I think the final note that I have on their response has been they switched largely back over to routers as the command and control nodes, rather than renting a server or compromising a server at a shady hosting provider. To me, the benefit of that is that it's just harder to take down. It's tough to subpoena or get access to a compromised home router, compared to a well-known virtual private server provider that Microsoft talks to all the time. You can lean on those relationships and say, "Okay, we can convince you to help." It's tougher to seize a router that's in front of someone's business or someone's home, they've made an effort to insulate themselves from further takedown efforts.

Dave Bittner:

Where do you think things are going to go from here? I mean, TrickBot is down, but not out. Any thoughts on where we might see them go from this point?

Greg Lesnewich:

I think in the near-term, they're going to keep trying to rebuild their botnet infrastructure and net new infections. Whether that's through Emotet spam or sending of their own spam, perhaps maybe some alternative methods. Assuming that they're the same actors that are behind the Bazar family, it seems that they've put all their eggs in that basket for the immediate near-term, the next couple weeks to a month.

Because we've seen that infrastructure continue to grow and continue to insulate itself that makes it really hard to detect and track. We've only seen it continue to grow. So, all indications point to they're going to continue, the royal they, that an entity that has overlapped with TrickBot seems intent on continuing this ransomware surge against U.S. potentially, Canadian and Western hospitals in the near-term.

Dave Bittner:

Now, what an interesting view you and the rest of the folks on the Insikt team have on all of this stuff. I mean, you said it yourself, a certain component of it is a lot of fun.

Greg Lesnewich:

Yeah, it's fun. I think that the last week of seeing these intrusions has been more stressful, significantly than usual. Seeing state on state espionage attempts, or not that normal criminal behavior is okay, but stealing someone's credit card data is recoverable. States targeting each other to steal data from a Ministry of Foreign Affairs, I have to imagine that if you're a diplomat, you know that you're going to be spied on. Whether that's electronically, whether that's through other means, it comes with the gig of working for an entity like that.

I think that the targeting of things that you can't undo. We saw an individual lose their life, unfortunately in Germany I think a couple weeks ago. So, this has been one of the less fun weeks, but it has really kicked up our efforts to identify ways to proactively monitor and prevent infections from occurring at our clients, anyone around the industry that we can share that information with.

Dave Bittner:

Our thanks to Recorded Future’s Greg Lesnewich for joining us.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Caitlin Mattingly. The show is produced by the CyberWire, with Executive Editor Peter Kilpe, and I'm Dave Bittner.

Thanks for listening.