The Trickbot steals users' credentials and has recently launched attacks ransomware. The ESET Research contributed to the business with technical analysis.
ESET researchers have been involved in a global crackdown on Trickbot, the botnet that has infected more than a million computers since 2016. Along with Microsoft, the Black Lotus Labs Threat Research of Lumen, the NTT and others, the company intervenes in Trickbot by destroying the command and control servers.
ESET contributed to this operation by providing technical analysis, statistics and known names and IP addresses of command and control servers. 
Trickbot is known to steal users' credentials from compromised computers, and more recently, it has been observed as a mechanism for carrying out more serious attacks, such as ransomware attacks.
ESET Research has been tracking its activities since it was first detected, at the end of 2016. Only in 2020, the platform monitoringESET's botnet analyzed more than 125.000 malicious samples and downloaded and decrypted more than 40.000 configuration files used by the various Trickbot modules, gaining a comprehensive view of the different C&C servers used by this botnet.
"For years we've been watching it, the Trickbot breaches that have been recorded are systematic, making it one of the largest and longest-running botnets out there. Trickbot is one of the most popular families malware and is a threat to them users of Internet worldwide, ”explains Jean-Ian Boutin, Head of Threat Research at ESET.
Throughout duration During its lifetime, this particular malware has spread in a number of ways. One of them is that Trickbot attacks systems that have already been compromised by Emotet, another well-known botnet. In the past, Trickbot malware was exploited by its operators primarily as a banking trojan, stealing user credentials from online bank accounts and attempting to make illegal money transfers.
His scouts Trickbot internationally by its telemetry system ESET from October 2019 to October 2020
One of the oldest plugins developed for the platform, it allows Trickbot to use web injects, a technique that allows malware to dynamically change what a user of an infected system sees when visiting a specific website.
"Through monitoring, we collected tens of thousands of different configuration files, which allows us to know which websites the Trickbot operators were targeting. "The targeted URLs belong mainly to financial institutions," adds Boutin.
“Tackling this threat is very difficult as it has various alternative mechanisms and its interconnection with other cybercriminals in the background it makes its overall operation extremely complex," concludes Boutin.
For more technical details about Trickbot, visit our WeLiveSecurity blogpost "ESET takes part in global operation to disrupt Trickbot".
