The king of tricks is dead. Long live the new king. Or will it make a comeback?
While we already assumed TrickBot was dead in the water, the shutdown of the server infrastructure on February 24, 2022, did not go unnoticed. Is this really the end of one of the most active botnets in the last decade?
The rise of TrickBot started when it was a banking Trojan designed to steal personal financial data. Initial development started in 2016, with many of its original features inspired by Dyreza which was another banking Trojan.
Fast forward a few years to 2018, and due to its modular build and the capabilities to move laterally in a network TrickBot has become the top-ranked threat for businesses. Back then, the authors of TrickBot were agile and creative, regularly developing and rolling out new features. The separate modules made it easier to develop new capabilities and use the malware for several purposes. For example, in 2019 researchers found a new feature in TrickBot that allows it to tamper with the web sessions of users who were on certain mobile carriers. Other features such as disabling real-time monitoring from Windows Defender were also added at some point.
In 2021, a number of arrests were made that provided some insight into the scale and complexity of the TrickBot group. These arrests also seem to have been some of the starting points that marked the end of the group. Some might have felt insecure, even with all the safety guards they deployed to keep their true identity secret, seeing some of their co-workers getting indicted.