Microsoft fights botnet after Office 365 malware attack

Why it matters: Microsoft has announced that it has successfully disrupted Trickbot’s botnet after it had ensnared some of its Office 365 users. The company submitted a legal request to take down the botnet infrastructure ran by hackers.

According to Microsoft, its Defender Antivirus team has been working alongside major cybercrime partners to collect samples and unravel critical information related to the botnet scheme. Participants in the cybersecurity data exchange group include FS-ISAC, Lumen’s Black Lotus Labs, ESET, Symantec, and NTT.

According to filed court documents, Microsoft sought permission to take over domains and servers belonging to the malicious Russia-based group. It also wanted legal assent to block IP addresses associated with the plot and prevent the entities behind it from purchasing or leasing servers.

The requests were part of a grander plan of action to destroy data stored in the hackers’ systems. The intention was first to block access to servers controlling over 1 million infected machines. This move would be a crucial step in halting control of over an additional 250 million breached email addresses.

Microsoft has said that Trickbot’s strategy was mostly successful because it used a custom third-party Office 365 app. Tricking users into installing it allowed perpetrators to bypass passwords instead of relying on the OAuth2 token. Through this technique, they could access compromised Microsoft 365 user accounts and sensitive data associated with them, such as email content and contact lists.

In the court documents, Microsoft laments that Trickbot used authentic-looking Microsoft email addresses and other company information to malign its clients. It argues that the network used its name and infrastructure for malicious purposes, thereby tarnishing its image.

Tricking users into installing it gave perpetrators the opportunity to bypass passwords and instead rely on the OAuth2 token (credit: YouTube).

Researchers first detected the Trickbot network in 2016. It began as a banking Trojan and developed later into a multiplex malware installer. The updated worm went on to compromise millions of devices worldwide. The entities behind the network have, over the years, leased access to infected systems to other cybercrime syndicates. Analysts widely refer to this as Malware-as-a-Service (MaaS).

Despite Microsoft’s and US government agencies’ best efforts to take down Trickbot, security experts at Intel471 warn that the recent move appears to have had minimal impact. According to the company, the botnet network is extensively decentralized and utilizes IP masking networks such as Tor to obscure server locations. This elaborate approach minimizes damage caused by targeted takedowns.

As noted in the company’s latest report, “Microsoft’s list of Trickbot IP addresses contained four IP addresses at the time of this report and were being pushed by Trickbot’s operators as Trickbot command and control servers. At the time of this report, Intel 471 has not seen any significant impact on Trickbot’s infrastructure and ability to communicate with Trickbot-infected systems.”

Related Articles

Microsoft begins rolling out Windows 10 version 20H2

Windows 10 users running version 1903 or later can now update to Microsoft’s latest publicly available build - Windows 10 version 20H2. The October...

Gone But Not Forgotten: Compaq

While computers had finally made the big jump from machines that took up the better portion of a room to something that could fit...

Apple releases iOS 14.1 with support for iPhone 12, 10-bit HDR, and bug fixes

Apple has release iOS 14.1, a sort of intermediary release between the big iOS 14 release a month ago, and the iOS 14.2...

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Stay Connected

0FansLike
2,390FollowersFollow
0SubscribersSubscribe
- Advertisement -

Latest Articles

Microsoft begins rolling out Windows 10 version 20H2

Windows 10 users running version 1903 or later can now update to Microsoft’s latest publicly available build - Windows 10 version 20H2. The October...

Gone But Not Forgotten: Compaq

While computers had finally made the big jump from machines that took up the better portion of a room to something that could fit...

Apple releases iOS 14.1 with support for iPhone 12, 10-bit HDR, and bug fixes

Apple has release iOS 14.1, a sort of intermediary release between the big iOS 14 release a month ago, and the iOS 14.2...

GOG gives away free copies of Europa Universalis 2 to celebrate the series’ 20th anniversary

If you love free stuff as much as we do, then we've got some good news for you today. As of this morning, DRM-free...

2K Sports adds unskippable ads in loading screens for NBA 2K21

WTF?! We're increasingly told that game loading screens will soon be a thing of the past, but 2K Sports apparently thinks those few seconds...