The Trickbot steals users' credentials and has recently launched attacks ransomware. The ESET Research contributed to the business with techniques resolutions.
The researchers of ESET participated in a global operation to intercept Trickbot, the botnet that, since 2016, has infected over one million computers. Along with her Microsoft, the Black Lotus Labs Threat Research of Lumen, the NTT and others, the company intervenes in Trickbot by destroying the command and control servers.
ESET contributed to this operation by providing technical analysis, statistics and known names and IP addresses of command and control servers. 
Trickbot is known to steal user credentials from compromised computers and, more recently, it has been observed to act as a mechanism to implement more serious attacks, such as ransomware attacks.
ESET Research has been tracking its activities since it was first detected, in late 2016. In 2020 alone, ESET's botnet monitoring platform analyzed more than 125.000 malicious samples and downloaded and decrypted more than 40.000 configuration files used by the various Trickbot modules, providing a complete picture of the different C&C servers used from this botnet.
"For years we've been watching it, the Trickbot breaches that have been recorded are systematic, making it one of the largest and longest-running botnets out there. Trickbot is one of the most popular families malware and is a threat to internet users worldwide, ”explains Jean-Ian Boutin, Head of ESET Research at ESET.
Throughout its life, this particular malware has spread in various ways. One of them is that Trickbot attacks systems that have already been compromised by Emotet, another well-known botnet. In the past, Trickbot malware has been exploited by its operators primarily as a banking trojan, stealing user credentials from online bank accounts and attempting to make illegal money transfers.
His scouts Trickbot internationally by its telemetry system ESET from October 2019 to October 2020
One of the oldest plugins που αναπτύχθηκε για την πλατφόρμα, επιτρέπει στο Trickbot να χρησιμοποιεί web injects, μια τεχνική που επιτρέπει στο κακόβουλο λογισμικό να αλλάζει δυναμικά αυτό που βλέπει ο user of an infected system when visiting specific websites.
"Through monitoring, we collected tens of thousands of different configuration files, which allows us to know which websites the Trickbot operators were targeting. "The targeted URLs belong mainly to financial institutions," adds Boutin.
"Dealing with this threat is very difficult, as it has various alternative mechanisms and its connection with other cyber criminals in the background makes its overall operation extremely complex," Boutin concludes.
For more technical details about Trickbot, visit our WeLiveSecurity blogpost "ESET takes part in global operation to disrupt Trickbot".
