Jump to content

Microsoft has stopped a massive hacking operation


uk666

Recommended Posts

  • Andr-Tech

Microsoft has stopped a massive hacking operation

gdtrickbot.jpg

Microsoft Corp. has executed a coordinated legal sneak attack in a bid to disrupt the malware-as-a-service botnet Trickbot, a global menace that has infected millions of computers and is used to spread ransomware. 

A court in Virginia granted Microsoft control over many Internet servers Trickbot uses to plunder infected systems, based on novel claims that the crime machine abused the software giant’s trademarks. 

It’s one the tech giant says could have impacted the presidential election by snarling computer systems used to maintain voter rolls or report on election numbers.

The company announced Monday that it took down the servers behind Trickbot.

The enormous Russian malware network was being used by criminals to launch cyberattacks, including a strain of highly potent ransomware.

Microsoft said it obtained a federal court order to disable the IP addresses associated with Trickbot’s servers and worked with telecom providers around the world to stamp out the network.

Even so, the company says its efforts reflect a new legal approach that may help authorities fight the network going forward.

Anatomy of a Trickbot campaign

1.jpg

Trickbot is one of the most prolific malware operations in the world, churning out multiple campaigns in any given period. In one specific campaign, the Trickbot operators used several disparate compromised email accounts to send out hundreds of malicious emails to both enterprise and consumer accounts. 

Recipients were from a variety of industry verticals and geolocations and do not appear to have been specifically targeted. This campaign used a shipping and logistics theme, and had the following subject lines:

  1. Shipment receipt
  2. Delivery finished
  3. Urgent receipt comment
  4. Essential receipt reminder
  5. Required declaration

The emails contained a malicious Excel attachment that, when opened, prompted the user to enable macros. If enabled, the macro wrote a malicious JScript Encoded (JSE) file to the disk, which is then executed via WScript. 

The JSE script connected to the affected organization’s domain controller and performed several LDAP queries to gather information about Active Directory, including the schema and user lists. The script then exfiltrated the information to attacker-controlled infrastructure. 

The script used the jscript.encode command to encode both server-side and client-side files in order to obfuscate content and evade detection.

However, it appears the operation has not completely disabled the botnet. Microsoft says it could happen again.

  • Like 3
  • Thanks 1
Link to comment

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×
×
  • Create New...