Trick or Treat: Tricky TrickBot Tricks the Tricksters

We recently found out about 2 actions taken against the TrickBot botnet by 2 very large and powerful entities. Brian Krebs covered this initially and stated that it involved some actor modifying the configuration files that were pushed to the botnet clients. We later found out that it was a disruptive ‘persistent engagement’ campaign carried out by US CyberCom (  Shortly thereafter, Microsoft announced that they had “cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections”.   This was all great news as Trickbot has been known to lead to some of the worst ransomware infections out there.  I personally couldn’t be happier that these actions were taken, but let’s just take a minute to assess what happened.

US CyberCom managed to find a way to inject a new configuration file into existing TB (TrickBot) infections.  Their goal was to replace the command and control IP’s to point to localhost effectively killing the controller’s ability to update and send commands to the botnet. We understand that they did this for a large majority of the infected clients.  TB has built in backup C2 locations that cannot be altered, shutdown, or otherwise dealt with by changing configs. In the same article posted by Brian Krebs on CyberCom, Alex Holden makes clear that the actors behind TB still have all of their data and the ability to control the botnet regardless of this action.  Unfortunately, this appears to have only given the TB crew fuel for retaliation.  But this really shouldn’t matter if MS did what they say they did.

Microsoft announced ( that they had used legal actions to get justification and authority to take down key pieces of the botnet’s infrastructure.  This is actually a pretty exciting legal precedent that they have set with the use of trademark law to take action.  I sincerely hope that this is used more often to disrupt, and more importantly take down these actors’ infrastructure. 

Unfortunately for us, they didn’t take down all of the key infrastructure and as of this morning (Oct 14, 2020) just a few days after that announcement, TB is back.  Not only are they back, but they are again leveraging Emotet to drop and spread.  We have just found it deploying more of the mor* gtag to all 3 epochs of the botnet in what will likely prove to be a mass spreading event to recuperate some of the losses to these actions. 


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.