TrickBot operators slowly abandon the botnet and replace it with Emotet

TrickBot, once one of the most active botnets on the internet and a primary delivery vehicle for ransomware, is no longer making new victims. However, there are signs its operators are transitioning the already infected computers to other botnets, including Emotet.

"Our team assesses with high confidence that Trickbot operators are working closely with the operators of Emotet," researchers from security firm Intel 471 said in a new report. "There is clear evidence of this relationship, for example, the resurrection of Emotet began with Trickbot."

TrickBot and Emotet have long been friends

TrickBot and Emotet are two Trojan programs that started out as malware tools focused on stealing online banking credentials but evolved into malware distribution platforms where they rented their access on systems to other cyber criminal gangs.

Security researchers have long suspected that the group behind TrickBot were one of Emotet's largest customers and the two botnets were regularly distributing each other on infected computers. Furthermore, TrickBot served as one of the primary infection vectors for the Ryuk ransomware.

In October 2020, TrickBot was targeted in a coordinated action by Microsoft and other industry partners and ISPs which resulted in the disruption of all its command-and-control servers. However, its creators started new spam campaigns to regain control of the infected computers and slowly started to rebuild the botnet.

This was followed in January 2021 by a takedown of the Emotet command-and-control infrastructure by law enforcement agencies in Europe. However, like TrickBot, Emotet started recovering, too, and a big reason for that was TrickBot itself. 

"On November 14, 2021, we observed Trickbot pushing a command to its bots to download and execute Emotet samples," the Intel 471 researchers said. "This marked the beginning of the return of Emotet."

No new TrickBot campaigns

Researchers can easily monitor new TrickBot samples because they contain unique identification codes called gtags that operators use to determine the success of each distribution campaign. These gtags are formed from three letters and three numbers, known as sub-tags.

According to Intel 471, in November there were eight different TrickBot builds with lipXXX gtag and eight with topXXX. The last builds with these gtags came in mid to late December and there have been no new builds since then or new gtags. Additionally, the malware configuration file mcconf that contains a list of command-and-control servers hasn't been updated since early December even though it used to receive regular updates.

This significant drop in new distribution campaigns suggests that the TrickBot operators are not interested in infecting new systems. The existing computers that make up the botnet still receive commands and injection scripts from the control servers, but this could be partially due to automation.

What happened with TrickBot?

In October, the DOJ announced the extradition of a Russian national after his arrest in South Korea to face charges related to the development of TrickBot, but it’s not clear if this has directly led to the decrease in TrickBot activity, considering its operators launched new builds and campaigns in November and December.

The Intel 471 researchers believe it's more likely that the TrickBot operators have begun transitioning to other Trojans to continue their operations.

"Intel 471 cannot confirm, but it’s likely that the Trickbot operators have phased Trickbot malware out of their operations in favour of other platforms, such as Emotet," they said. "Trickbot, after all, is relatively old malware that hasn’t been updated in a major way. Detection rates are high and the network traffic from bot communication is easily recognised."

In July 2020, researchers from Cybereason reported that the TrickBot group developed a loader and backdoor program called Bazar that shares some techniques and infrastructure with TrickBot but is stealthier and uses blockchain DNS domains making it more resilient to takedown attempts.

The Bazar loader has since been used by several cybercriminal groups against high-value targets to deploy attack frameworks like CobaltStrike and IcedID or Bokbot inside network environments. Bazar command-and-control servers have also been seen distributing both TrickBot and Emotet last year, reinforcing the idea that all three are connected.

"Perhaps a combination of unwanted attention to Trickbot and the availability of newer, improved malware platforms has convinced the operators of Trickbot to abandon it," the researchers said. "We suspect that the malware control infrastructure (C2) is being maintained because there is still some monetisation value in the remaining bots."