The modular Windows crimeware platform known as TrickBot formally shuttered its infrastructure on Thursday after reports emerged of its imminent retirement amid a lull in its activity for almost two months, marking an end to one of the most persistent malware campaigns in recent years.
“TrickBot is gone… It is official now as of Thursday, February 24, 2022. See you soon… or not,” AdvIntel’s CEO Vitali Kremez tweeted. “TrickBot is gone as it has become inefficient for targeted intrusions.”
Attributed to a Russia-based criminal enterprise called Wizard Spider, TrickBot started out as a financial trojan in late 2016 and is a derivative of another banking malware called Dyre that was dismantled in November 2015. Over the years, it morphed into a veritable Swiss Army knife of malicious capabilities, enabling threat actors to steal information via web injects and drop additional payloads.
TrickBot’s activities took a noticeable hit in October 2020 when the U.S. Cyber Command and a consortium of private security companies led by Microsoft attempted to disrupt most of its infrastructure, forcing the malware’s authors to scale up and evolve its tactics.
The criminal entity is said to have invested more than $20 million into its infrastructure and growth, security firm Hold Security was quoted as saying in a WIRED report earlier this month, calling out TrickBot’s “businesslike structure” to run its day-to-day operations and “hire” new engineers into the group.
The development comes as twin reports from cybersecurity firms AdvIntel and Intel 471 hinted at the possibility that TrickBot’s five-year-saga may be coming to an end in the wake of increased visibility into their malware operations, prompting the operators to shift to newer, improved malware such as BazarBackdoor (aka BazarLoader).
“TrickBot, after all, is relatively old malware that hasn’t been updated in a major way,” Intel 471 researchers said. “Detection rates are high and the network traffic from bot communication is easily recognized.”
Indeed, malware tracking research project Abuse.ch’s Feodo Tracker shows that while no new command-and-control (C2) servers have been set up for TrickBot attacks since December 16, 2021, BazarLoader and Emotet are in full swing, with new C2 servers registered as recently as February 19 and 24, respectively.
images from Hacker News