Inside Out Security Blog   /  

The Saga of Trickbot

The Saga of Trickbot

Here is a little story that should have made the evening news. Well, it’s actually kind of a big geopolitical story, but given 2020’s logarithmic growth in geopolitical story significance, perhaps even this one is just a bit too tame for prime-time coverage. But we’ll tell the story anyway because it’s a good, big geopolitical story, and one that even saw Microsoft roll up its sleeves and jump in the mix.

With the 2020 United States presidential election in full swing, the mid-October announcement by US Cyber Command of their intentions to take on the global Trickbot malware network stuck out as both a positive and somewhat curious development within the professional cybersecurity community.

Want to learn ransomware basics and earn a CPE credit? Try our free course.

“In just one hour, I’ll teach you the fundamentals of Ransomware and what you can do to protect and prepare for it.”

On the one hand, the government’s stated commitment to using “force-on-force” in taking down a global, automated threat to the solvency of our election infrastructure was widely regarded by cybersecurity professionals as a rare spot of good news in an otherwise chaotic news cycle.

On the other hand, many immediately questioned the efficacy of the effort noting that as a mature and sophisticated piece of malware, Trickbot is designed to replicate itself autonomously. Moreover, Trickbot has been predominantly seen and used as a delivery method for banking malware designed to steal financial credentials, not necessarily something that would pose an obvious threat to elections or the democratic process.

So, what’s the story with Trickbot? Is it really a threat to the US elections? Can it be stopped? Let’s dig in and find out.

Emotet + Phishing Email = Trickbot

As we have recently discovered and discussed, the Emotet botnet has come out of hibernation with a vengeance, dropping malspam phishing emails into corporate networks by the millions. The “hook” in these campaigns tends to be a legitimate-looking Microsoft Office document, a link, Windows system notice, or credential wall delivered via email. Once the attached document is macro-enabled or the machine’s credentials are entered, Emotet gets to work.

PSA: Don’t click this. Ever. Really. Just don’t.

The first rule of Emotet is: more Emotet! After all, it would seem to be a bit of a lost opportunity for a botnet to penetrate a machine and not take advantage of its capabilities to replicate itself. So, that’s what it does. Once self-preservation is out of the way, the botnet of botnets delivers what can be a mixed bag of payloads but has tended recently to include Trickbot.

emotet attack flow

Imaged borrowed from our deep dive on Emotet. Are you freaked out by any of this? Get a free ransomware risk assessment here.

So, Trickbot the botnet is unleashed by Emotet the botnet. Still with us? Cool.

The first rule of Trickbot is: more Trickbot! Sound familiar? It should. Legacy persistence is the name of the game with malware, and its first order of business is to establish persistence by creating a Scheduled Task. Like Emotet, Trickbot is a versatile beast, and again we see it gaining a further foothold to replicate itself and seek out opportunities that might lead to privilege escalation, data exfiltration, or credential siphoning for direct access to a user’s accounts either in the current system, adjacent systems or third-party systems.

For example, Mimikatz (which sounds way cuter than it is) is a module that Trickbot uses to gather and steal credentials and send them back to the malware operator. It is through this process that Trickbot earned its reputation as a banking trojan since it first popped up back in 2016. Recently, the botnet has even taken on hot-button topics like the COVID-19 pandemic and social justice issues to provide familiar and hyper-relevant content to its phishing email campaigns, thereby increasing its success rate for infection.


Urgent issue? ✅ Poorly worded? ✅ Hyperlinked text? ✅ Phishing? 💯

So, Trickbot unleashes some nasty modules like little digital parasites that feast on different bitstreams in your connected systems. Are you hungry for more?


Trickbot + Ryuk = Ransomware for Hire

Being the enigmatic thing that it is, Trickbot has also been found to deliver the Ryuk ransomware payload which specifically targets network files and disables Windows System Restore. This powerful and relatively new cryptolocker takes system files, encrypts them to cause major accessibility and business continuity issues, and then demands a ransom of the system’s owners (often large corporations) to provide a decryption key that unlocks the files and brings the systems back online. Indeed, a recent Ryuk campaign shook down a single county in the state of Florida for over $1 million in one month alone.

Tracing down the origins and active nodes of this distributed network is tricky stuff, but it is widely believed that Trickbot botnet and the resulting Ryuk crypto malware are the product of various criminal operators and certain nation-state enterprises. Prior to the rise of Ryuk and similar ransomwares, the systematic disabling of enterprise networks was often the work of large-scale distributed denial of service (DDoS) attacks that required coordinated and sustained, laser-like focus of network traffic to overwhelm sites for a period of time long enough to cause some financial pain. But Ryuk doesn’t need to command a ton of network traffic to cripple a business. Once it lands it does its thing and starts fouling servers from the inside out.

And it is at this juncture and against this backdrop that Trickbot’s threat to the US electoral process starts to come into focus.

US Cyber Command + Microsoft = The “Takedown”

On October 9, 2020, news broke that the US Cyber Command division of the Department of Defense had undertaken a rare force-on-force campaign to disrupt the Trickbot botnet.

Remarkable for its proactive posture, the government’s action came on the heels of two significant disruptions and causes for concern. In late September 2020 it was reported that a German woman died while being rerouted to a secondary hospital due to the one closest to her being unable to process her. A ransomware attack had taken out its records system. The second event was somewhat less dire but concerning nonetheless, and that was the September ransomware attack on Tyler Technologies, a vote processing platform which is used in dozens of voting systems in the United States. Both events took place shortly after the head of Cyber Command, General Paul Nakasone’s comments in August 2020:

“Right now, my top priority is for a safe, secure, and legitimate 2020 election. The Department of Defense, and Cyber Command specifically, are supporting a broader ‘whole-of-government’ approach to secure our elections.”

Three days after the Cyber Command story broke, Microsoft announced that they had won legal custody of several domains and IP addresses that appeared to be commanding the Trickbot botnet. This resulted in swift disablement of related assets and repatriation of malicious traffic, dealing the botnet a significant disruption to its operations.

That would be a real fairytale ending to the story that we now know does not just involve crimes of corporate extortion, but of life and death outcomes.

But the story doesn’t end there. Alas, a mere 48 hours after the Microsoft “takedown” announcement, security analysts noted that the remaining, functional Trickbot nodes were now loading a configuration file that contained fifteen new server addresses, including two of the addresses that were subject to the recent takedown. Trickbot has rebooted and lives on.


And that is the real story of Trickbot: that two of the world’s most powerful public and private entities, the United States Department of Defense and Microsoft, only managed disrupt it for a few days, despite their best concerted and coordinated efforts.

So, what can a company or organization do to combat Trickbot, its dynamic payloads, and myriad attack vectors?

Well, there’s hope in them there hills, so let’s go there.

Varonis + Microsoft = Sad Trickbot

While the media headlines and cybersecurity awareness training courses all shout “Intrusion!”, “Virus!”, and “Infection!”, the reality is that a network intrusion is not a material event in and of itself. In fact, many malware variants breach a perimeter and do nothing of monetary value for an extended period of time. They get in, they take a seat, and they move and look around often unnoticed. It’s what happens after the infiltration that is cause for concern and where the impact starts to be felt.

The modus operandi of any malware, hacker overlords, or nation state is to infiltrate and steal or encrypt data. The right kind of data has value, and in the case of ransomware, the ability to access data has value.

Whether on-premise or in the cloud with Microsoft 365, the Varonis data security platform serves as a custodian for every piece of data in your Microsoft environment. If any piece of data is touched, moved, or otherwise manipulated in any way that we (or you) find to be suspicious, we take action to prevent that activity from happening. And with Varonis Edge we even monitor, report, and execute on the perimeter as well, so you get a unified 360 degree view across all four dimensions of your environment. That’s lateral movement (X axis), vertical movement and privilege escalation (Y axis), file contents (Z axis), and historical object status (time). In the fight against Trickbot, Varonis is your superhero.

Varonis Datalert Trickbot

Sad Trickbot 🙁 courtesy of Varonis.


So, the story of Trickbot, the US government, Microsoft, and our democratic processes is more like an ongoing saga. There’s plenty of intrigue, and a fair amount of drama, but one thing is certain: when Trickbot, Emotet, Ryuk or Mimikatz knock on the door to a Varonis customer’s Microsoft environment, there is no headline, because there is no story at all.

We're Varonis.

We've been keeping the world's most valuable data out of enemy hands since 2005 with our market-leading data security platform.

How it works