Prometheus ransomware
CyberDaily: Cybersecurity News

TrickBot, a modular Windows crimeware platform, has shut its infrastructure on Thursday after reports came of its impending retirement. TrickBot was inactive for two months, and Thursday marked the closure of a persistent malware campaign.

“TrickBot is gone… It is official now as of Thursday, February 24, 2022. See you soon… or not,” AdvIntel’s CEO Vitali Kremez tweeted. “TrickBot is gone as it has become inefficient for targeted intrusions.”

Wizard Spider, a Russia-based criminal enterprise, designed TrickBot, which started as a financial trojan in late 2016. Trickbot was branched off from another banking malware Dyre that was discontinued in November 2015. It transformed into a Swiss Army knife of perilous abilities, allowing threat actors to pilfer information through web injects and drop additional payloads. 

The U.S. Cyber Command and a consortium of private security led by Microsoft targeted Trickbot, which severely crippled its infrastructure and impelled the malware’s authors to change and expand its tactics. 

The criminal entity invested more than $20 million into its infrastructure, security firm Hold Security was quoted saying in a WIRED report earlier this month, calling out TrickBot’s “businesslike structure” to run its day-to-day operations and “hire” new engineers into the group.

TrickBot’s closure was on the cards as twin reports from AdvIntel and Intel 471 suggested that TickBot was winding down because its malware activity was becoming traceable, which led operators to change to an improved malware like BazarBackdoor.

“TrickBot, after all, is relatively old malware that hasn’t been updated in a major way,” Intel 471 researchers said. “Detection rates are high and the network traffic from bot communication is easily recognized.”

Indeed, malware tracking research project’s Feodo Tracker shows that while no new command-and-control (C2) servers have been set up for TrickBot attacks since December 16, 2021, BazarLoader and Emotet are in full swing, with new C2 servers registered as recently as February 19 and 24, respectively.