Topics in this article

In April 2020, we signed an agreement to enter into Microsoft’s Cyber Threat Intelligence Program (CTIP). This is a voluntary, free-of-charge initiative intended to enable the sharing of limited types of cyberthreat information.

As part of our collaboration, our Global Threat Intelligence Center (GTIC) has been working closely with Microsoft’s Digital Crimes Unit to analyze TrickBot malware, its botnets, and command and control infrastructure with the goal of taking disruptive actions against this threat. This includes ongoing malware analysis, reverse engineering, rogue infrastructure mapping and detailed network forensic analysis.

Appearing in late 2016, TrickBot is one of the world’s most notorious banking trojans and botnets (a botnet comprises networked systems infected with malicious software leveraged by cybercriminals to gain access and control computers). The malware is designed to steal personally identifiable information, including bank and other online account details. It also tries to spread across compromised networks, infecting other devices, and may attempt to download additional malicious content such as ransomware, remote access tools or other post-exploitation toolkits. Recently it's been linked to interference in the upcoming US election with potential ties to nation-state and other cybercriminal syndicates.

A global effort

Cybercrime is a global challenge, and any effective response requires solid coordination between the public and private sector, involving law enforcement agencies across many international jurisdictions. This week’s actions to globally disrupt TrickBot through a multi-pronged approach – use both legal and technical methods across multiple jurisdictions.

We've been actively tracking Trickbot for several years, through ongoing threat intelligence research collaboration between the GTIC, Security Operation Centers (SOCs), and NTT Secure Platform Labs. With access to our global internet backbone traffic along with applied threat intelligence, machine learning and advanced analytics, we're ideally positioned to identify and map botnet infrastructure – extending our reach well beyond that of our clients and partners.

Using our unique telemetry, our analysts were able to discover TrickBot infrastructure communications, uncovering the complex relationships between compromised victim machines and adversary-controlled infrastructure. We've been sharing this threat intelligence to support coordinated efforts in disrupting cybercriminal operators and their infrastructure.

Delivering integrated threat intelligence

Our Group Managed Security Service (MSS) clients already benefit from our integrated approach to threat intelligence and botnet infrastructure detection. With our MSS Threat Detection service, our clients experience rapid threat detection and response through our ability to discover the latest cyberthreats affecting their assets delivered from our multiple SOCs across the world.

Modern threats are without boundaries, so our approach to cyber-defense must be borderless too. Collaboration is essential in enhancing our ability to reduce threats by combining forces to fight cybercrime together. This week’s outcome is a testament to the critical importance of global cooperation, collaboration and information-sharing. It’s essential in making progress to identify and bring cybercriminals to justice.

Countries across the globe continue to struggle with the continuous onslaught of cybercrime; impacting citizens, businesses, government and academic institutions. With society’s dependence on technology, the quantity and value of information stored online have only increased. So too, have efforts to steal and exploit that information. By taking a more proactive stance in fighting cybercrime, we can shift the economics of cybercrime into the defenders’ favor, making it more challenging and costly for adversaries to operate. In doing so, we're contributing to society through our business and corporate activities – making the internet, and broader digital ecosystem, a safer place for everyone.

Cybercriminals are agile. They will seek to re-platform, re-tool and re-engineer their offensive capabilities as well as supporting infrastructure. In light of recent operations, we’ll continue to enhance our detective technologies, as well as continue to monitor the actions of TrickBot malware developers and their anticipated innovations.