Cybersecurity specialists launch hunt for Trickbot botnet, which could threaten US elections

An international group of specialists carried out an operation to neutralize the Trickbot botnet, which has infected more than a million computers since 2016.

KrebsonSecurity was the first to report attempts to neutralize the botnet. However, at the time, the identity of those behind it was not known.

According to the Washington Post, the operation to dismantle the botnet involved the U.S. military. In their view, Trickbot is controlled by “Russian-speaking criminals” and could potentially threaten the US elections.

The campaign to neutralize the botnet does not entail its full shutdown, but aims to exert a sustained impact on the adversary, the publication cites anonymous sources.

Later, Microsoft published a statement about conducting the operation to disrupt Trickbot in cooperation with an international group of partners.

In addition to Microsoft’s Digital Crimes Unit, the group includes ESET, NTT, Black Lotus Labs and others.

“We have disabled key infrastructure so that Trickbot operators could not initiate new infections or activate ransomware programs already loaded on computer systems,” says Microsoft.

Jean‑Yan Boutin, head of ESET’s Threat Research, stressed that Trickbot is one of the largest and longest-running botnets:

“This is one of the most widespread families of banking malware threatening internet users worldwide. The banking Trojan steals credentials from online accounts and attempts to execute fraudulent transfers.”

ForkLog, citing ESET representatives, said that recently researchers observed a string of Trickbot attacks on systems already compromised by another major botnet—Emotet.

In a conversation with Bleeping Computer, Boutin noted that during the operation cybersecurity specialists had contacted law enforcement, but he was unaware of any link to the U.S. military campaign against Trickbot.

In a Black Lotus Labs post, it is stated that the efforts will hinder hackers and raise the costs of restoring part of the damaged infrastructure. They note that this may not fully eliminate the threat.

Originally known as the banking Trojan Trickbot, it later came to be used not only to steal personal data and credentials but also to spread Ryuk ransomware.

Subscribe to ForkLog news on Telegram: ForkLog Feed — the full news feed, ForkLog — the most important news and polls.