Neutralize new Trickbot attacks with AI

When malware strains disappear, it is often the choice of their creators and threat actors, rather than the result of external efforts to shut them down. Actions by governments and organizations to combat these threats head-on has often proven to be short-term and limited in scope – a pattern unfortunately demonstrated by the Trickbot revival last year.

attempt Led by Microsoft and its partners to shut down the Trickbot malware in the run-up to the 2020 US elections in an effort to reduce the risk of election tampering. In the end, 94% of Trickbot’s infrastructure was effectively wiped out, drastically reducing its impact in late 2020.

Despite incurring such heavy losses, Soon the Trickbot saw the resurrection Incredible proportions. Instead of fading away, as some had hoped, the tension slept again At such a rate that it became by June 2021 again Most Prevalent Malware In the world.

One of the many companies targeted by Trickbot that month was a European public administration organization. Unaware that one of the internal domain controllers had been hacked by a Trickbot, the organization happened to start a trial of Darktrace’s artificial intelligence (AI)-based cybersecurity technology, which highlighted the malicious attack taking place within its network.

AI captures emerging Trickbot Ransomware attack

Darktrace uses AI-powered behavior-based detection, which can differentiate between Benign and malicious activity within the organisation. When the compromised domain controller started loading DLLs on other machines, Darktrace immediately detected the activity and suggested an appropriate response. However, it is configured in “human confirmation” mode – which means that it requires a human factor to confirm the action.

While she waited for the human team to approve her actions, Darktrace continued to monitor the development of the threat. The compromised domain controller discovered loading the Trickbot via SMB to nearly 300 machines across the enterprise, then using Windows Management Instrumentation (WMI) to execute it.

Trickbot may be an outdated and well-documented malware, but its modular nature makes it infinitely adaptable and thus difficult for security tools to identify. At this point in the attack, traditional tools within the organization’s network were still failing to identify the threat. As the nature of the attack changes with each new instance and modular configuration, intelligence-based security systems will always struggle to keep up.

The difficulty of relying on OSINT to manipulate the Trickbot was demonstrated in this attack when 160 of the 280 compromised devices connected to new C2 endpoints were discovered. Microsoft and its partners specifically targeted C2 servers in 2020, but Trickbot’s turnaround in the wake of that action showed how quickly new servers and endpoints could be created. In this case, OSINT did not associate any of the company’s 160 endpoints with malicious activity; However, Darktrace realized that the behavior was unusual, and issued a very serious threat notice to the organization.

For more than a month, the attackers remained low. Darktrace then discovered compromised devices that scan the network and download suspicious executables – most likely Ryuk ransomware payloads. With several stages of the attack now separated by months, it was difficult for a human team to assemble its entire range.

Target action before encryption

As AI continues to investigate threats across the entire digital environment, Darktrace has brought this attack together in a distinct lifecycle and presented it to the security team. At this point, the organization noticed the threat and switched Darktrace to “standalone” mode, enabling the AI ​​to take action.

Although an automated tool can often stop ransomware attacks at the first signs of a breach, it can intervene at any stage of the attack. Thus, when it was activated at a very late stage by this organization, it still accounted for an accurate and effective response.

Several malicious actions are blocked by AI, including SMB enumeration, network scanning, and suspicious outgoing connections. Because they targeted these actions rather than the devices as a whole, the 280 compromised devices were able to continue their normal business operations with the attack halted.

Now that they can no longer complete Command and Control (C2) communications or move sideways, the attackers are unable to execute Ryuk and the attack is over. And it’s not a moment too close. If the attackers were allowed to carry out the ransomware, they could have infiltrated and then encrypted data from across the company. Even if a ransom is paid, ransomware victims often incur many other costs, including network shutdown and processing, as well as PR repercussions.

Stay ahead of malware trends

It is clear that the Trickbot is as powerful and elusive as before and that relying on rules or intelligence-based tools alone is no longer an option for organizations trying to avoid becoming a victim. Instead of waiting for companies and governments to launch attacks against an ever-renewing infrastructure for attackers, organizations must take matters into their own hands and enhance their infrastructure with artificial intelligence.

By getting to know the way a business normally behaves, rather than worrying about identifying an attacker, Darktrace’s AI can stop new threats entirely without rules or OSINT and you won’t be fooled by reconfigurations and rebrands. Protecting organizations from new attacks in this way is a surefire way to start hitting Trickbot and other threat actors where it hurts.