The king of tricks is dead. Long live the new king. Or will it make a comeback?

While we already assumed TrickBot was dead in the water, the shutdown of the server infrastructure on February 24, 2022, did not go unnoticed. Is this really the end of one of the most active botnets in the last decade?

History

The rise of TrickBot started when it was a banking Trojan designed to steal personal financial data. Initial development started in 2016, with many of its original features inspired by Dyreza which was another banking Trojan.

Fast forward a few years to 2018, and due to its modular build and the capabilities to move laterally in a network TrickBot has become the top-ranked threat for businesses. Back then, the authors of TrickBot were agile and creative, regularly developing and rolling out new features. The separate modules made it easier to develop new capabilities and use the malware for several purposes. For example, in 2019 researchers found a new feature in TrickBot that allows it to tamper with the web sessions of users who were on certain mobile carriers. Other features such as disabling real-time monitoring from Windows Defender were also added at some point.

In 2021, a number of arrests were made that provided some insight into the scale and complexity of the TrickBot group. These arrests also seem to have been some of the starting points that marked the end of the group. Some might have felt insecure, even with all the safety guards they deployed to keep their true identity secret, seeing some of their co-workers getting indicted.

Cooperation

The ransomware scene can be compared to any legitimate business vertical in more than one way. You will see short lived cooperation, fusions, and staff moving from one company to another. Some of the malware peddlers and ransomware gangs have established a relationship that can be described as being in league with each other. Given their nature and the amount of money that goes around in these ransomware groups, they are sometimes referred to as (cyber)crime syndicates.

Over the years we’ve seen several campaigns where Emotet acted as a dropper for the TrickBot trojan. TrickBot then stole the financial information it was after, and downloaded the Ryuk ransomware. This Emotet-TrickBot-Ryuk supply chain was feared worldwide and turned out to be extremely resilient. After Ryuk’s rebranding to Conti this did not change. But Conti has grown over the years and expanded to the point that it can now be considered one of the major players in this ”industry” in its own right.

Its relationship with TrickBot was one of the primary reasons for the rapid rise of Conti. At some point, Conti turned into the sole end-user of TrickBot’s botnet product. By the end of 2021, Conti had essentially acquired TrickBot, with multiple elite developers and managers making the move to join Conti.

The end(?)

There are a few contributing factors that indicate that this may really be the end of TrickBot.

  • The move of developers and managers to Conti, and possibly other gangs.
  • The high detection rate for TrickBot. A less actively developed malware becomes an easy target for detection and remediation routines.
  • The rise of the BazarLoader which used to be a part of Trickbot’s toolkit, but has now been developed into a fully autonomous tool. It seems the likely candidate for Conti to develop further.
  • The voluntary shutdown of the servers and the fact that they hadn’t set up any new servers for months.
  • The lack of new TrickBot email spam campaigns in the year 2022.

Renowned researchers expect this to be the end of TrickBot as we know it.

That doesn’t mean it can’t rise like a Phoenix from the flames with a new label or under different management. Most of the people who have led and developed TrickBot throughout its long run will not simply disappear from the scene, but find new employers, like Conti.

Whether we will notice that TrickBot is gone remains to be seen. Plenty of new infiltration methods are available to the ransomware gangs and their affiliates. And it will probably even take years before we stop seeing TrickBot detections, dormant or not, on some system.