Other companies joining Microsoft Defender in the coordinated effort include ESET, FS-ISAC, NTT, Symantec, and Black Lotus Labs. Together, the group conducted an investigation into how the TrickBot infrastructure works and delivers malware. Microsoft Defender and the other companies researched 125,000 malware samples over a period of months. Metrics used during the investigation included mapping information, tracking content, analyzing the malware functionality, and monitoring servers. Microsoft took the information to courts in the U.S. and was granted permission to seize control of TrickBot’s servers. “With this evidence, the court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the TrickBot operators to purchase or lease additional servers,” Microsoft says. “We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.”
Dangerous Botnet
The Microsoft Defender team points out removing TrickBot was important as it is one of the biggest botnets. Indeed, the company says over one million machines have been infected by TrickBot malware. Microsoft believes the malware was a threat to the upcoming U.S. presidential election. “Trickbot [is] one of the world’s most infamous botnets and prolific distributors of ransomware,” Microsoft adds. “As the United States government and independent experts have warned, ransomware is one of the largest threats to the upcoming elections. Adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust.”