Bot malware landscape always changes with both new and old families being updated with new techniques to perform cybercrime. And due to their sheer number, manually analysing and tracking them is a tedious affair. This entails delayed response to the threat. Because of this, automated systems have become an integral part of malware research to learn more about these commonly on-and-off malware operations. Data obtained from these systems can be indispensable for planning and implementing counter moves against the threat. In this way, we can lessen the gap between threat discovery and mitigation.
With the same motivation, we have conducted research on Trickbot family, which has become one of the most popular botnet families since its first discovery in 2016. It has evolved with new modules being added to its arsenal for spreading and stealing more information from its victims. Up to this day we are seeing new campaigns and modules being distributed in the wild.
What got us really interested in this malware is its refined network behaviour and more importantly its wide variety of modules that it distributes to its victims. Its rotating C2 servers and by-command delivery of its modules make manual analysis and monitoring extremely tedious. We thought this is a good opportunity to create a tracker system to monitor the malware
Trickbot’s infrastructure relies in its modular infection distributed via its own network protocol under TLS. This eventually became our entry point in gathering data from its own servers.
In this presentation, we will discuss Trickbot’s behaviour. More importantly, we will also be focusing on the procedures we took to design and build the monitoring system including the challenges we encountered along the way. This will rely heavily on reverse engineering its network communication and how we were able to use its own protocol to obtain specific artefacts from its servers.
As a result of the data we gathered, we will share statistics and the information generated from the tracker and how they can be used to help mitigate the threat automatically.