Microsoft's Campaign on TrickBot Update.

As I wrote before a coalition of cyber-security organizations with Microsoft orchestrated a global takedown against TrickBot, which is the second-largest malware botnets.




Microsoft brought down TrickBot backend infrastructure in the first few days of the coalition's assault, and yet the botnet survived, as TrickBot operators brought new command and control (C&C) servers online in the hopes of continuing the bot's operations of malware for service and other cybercrime schemes.

Yet TrickBot continued to fight back against the coalition of tech companies but Microsoft promised to continue their campaign against TrickBot and the crew behind it for the weeks to come.



Microsoft has confirmed their second wave of attack stating that it has slowly been chipping away at TrickBot's infrastructure over the past week and has successfully taken down 94% of its C&C servers. Even the original servers that were originally targeted any new servers as well that has come up online.


"From the time we began our operation until October 18, we have taken down 120 of the 128 servers we identified as TrickBot infrastructure around the world," (Tom Burt rep. of Customer Security and Trust at Microsoft)


Burt states that Microsoft brought down 62 out of the 69 TrickBot C&C servers as well 58 out of the 59 servers TrickBot tried to bring online after the first initial takedown.


The seven other servers that were online and could not be taken down in the first wave of attacks was Internet of Things (IoT) devices.


The main reason Microsoft didn't pull the plug on these systems is because they weren't located inside web hosting companies and data centers. But Microsoft is planning to pull the plug on these IoT devices as they need to work with the ISPs (Internet Service Providers) behind them.


Microsoft's swift second wave takedown to TrickBot's server infrastructure was accredited to the company's lawyers, which their quick response to the second wave by requesting new court orders to have these new servers taken down within days.



As of right now TrickBot and its botnets are still alive and active but has taken another blow. Yet even with just a few C&C servers online it still allows the TrickBot crew to keep control of the botnets.


Intel 471 a cyber security firm has said that these last few TrickBot C&C servers are in Brazil, Colombia, Indonesia, and Kyrgyzstan.


Whether or not Microsoft's campaign will purge TrickBot off the planet is up in the air. But Microsoft plans to continue till the US Presidential Elections is done on November 3rd.


Microsoft goal is to make sure TrickBot is unable to rent access to the botnets to other cybercrime crews which TrickBot has done numerous times before. As they fear that a ransomware crew may want these botnets to disrupt the election by targeting the systems that directly or indirectly correlate with the elections.


TrickBot crew even while under heat by Microsoft has partnered with Emotet another botnet that I have reported on in the past. Both crews have been busy causing more infected victims.

Posted on Oct 22, 2020 11:31:00 AM by Marcos Xochihua in Microsoft, in Cyber Security, in botnet

Marcos Xochihua

Written by Marcos Xochihua

Marcos Xochihua is a Network Security major and Student Ambassador at University of Advancing Technology (UAT)


Email me when there is a new post.

I'd like more information about UAT

Lists by Topic

see all

Recent Posts

Posts by Topic

see all

Posts by Author

see all