According to a WIRED report earlier this month, the criminal entity has invested more than $20 million in its infrastructure and growth, with security firm Hold Security citing TrickBot’s “businesslike structure” to run its day-to-day operations and “hire” new engineers into the group.
TrickBot, a modular Windows crimeware platform, formally shut down its infrastructure on Thursday, following reports of its upcoming retirement after a nearly two-month lull in activity, bringing an end to one of the most persistent malware campaigns in recent years.
TrickBot, attributed to a Russian criminal organisation called Wizard Spider, began as a financial trojan in late 2016 and is a derivative of another banking malware called Dyre, which was dismantled in November 2015. It evolved into a veritable Swiss Army knife over time.
TrickBot’s activities were hit in October 2020 when the United States Cyber Command and a consortium of private security companies led by Microsoft attempted to disrupt the majority of its infrastructure, forcing the malware’s authors to scale up and evolve their tactics.
Intel 471 researchers explained that ,” After all, TrickBot is relatively old malware that hasn’t been updated significantly. “Detection rates are high, and bot communication network traffic is easily identified.
The news comes as twin reports from cybersecurity firms AdvIntel and Intel 471 suggest that TrickBot’s five-year saga may be coming to an end due to increased visibility into their malware operations, prompting the operators to shift to newer, improved malware such as BazarBackdoor (aka BazarLoader).
Indeed, Abuse.ch’s Feodo Tracker shows that, while no new command-and-control (C2) servers have been set up for TrickBot attacks since December 16, 2021, BazarLoader and Emotet are still active, with new C2 servers registered as recently as February 19 and 24, respectively.
Conti is also credited with restoring and integrating the Emotet botnet into its multi-pronged attack framework beginning in November 2021, with TrickBot, ironically, being used as a delivery vehicle to distribute the malware after a 10-month hiatus.
Finally the researchers concluded that ,” the people who have led TrickBot throughout its long run will not simply vanish, They are now rich in prospects with the secure ground beneath them after being ‘acquired’ by Conti, and Conti will always find a way to make use of the available talent.”