Microsoft together with industry partners made effort to disrupt the infamous Trickbot botnet, which is considered one of the most prevalent threats, with more than one million infected devices all around the world. Companies and organizations which participated in the takedown included Microsoft's Defender team, FS-ISAC, ESET, Lumen's Black Lotus Labs, NTT, and Broadcom's cyber-security division Symantec.

“We disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world. We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems,” Microsoft revealed.

“As we observed the infected computers connect to and receive instructions from command and control servers, we were able to identify the precise IP addresses of those servers. With this evidence, the court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers,” the company explained.

During the investigation into Trickbot the company analyzed nearly 61,000 malware samples, which revealed constantly evolving modular capabilities, and support for infecting Internet of Things (IoT) devices.

The Trickbot malware has been making the rounds since 2016. Initially, it was created as a banking trojan, supposedly operated by the group behind the Dyre malware. However, over the time Trickbot significantly evolved gaining modular capabilities and ensnaring devices into botnet being distributed under a malware-as-a-service model. While the exact identity of operators behind the Trickbot malware remains unknown, researchers believe both nation-states and criminal gangs made use of the botnet for their malicious purposes.

According to Microsoft, the Trickbot operators quickly adapt to developments in society changing their techniques accordingly.

“Trickbot’s spam and spear phishing campaigns used to distribute malware have included topics such as Black Lives Matter and COVID-19, enticing people to click on malicious documents or links. Based on the data we see through Microsoft Office 365 Advanced Threat Detection, Trickbot has been the most prolific malware operation using COVID-19 themed lures,” the company said.