But the U.S.-based threat intelligence company Intel 471 found that Trickbot continues to operate four days after Microsoft’s seizure of the botnet’s U.S. servers. And the Swiss security site Feodo Tracker, found 18 such servers still active and sending out malware via spam, despite Microsoft’s efforts.
“They definitely disrupted them, but Microsoft’s actions have not altered the capability of Trickbot to do what they did before,” Intel 471 chief executive Mark Arena said.
Microsoft appears to have taken down all of the Trickbot command-and-control servers in the United States. As of Thursday afternoon, though, 11 servers outside the country that had been running before Microsoft’s action were still online, from Jakarta, Indonesia, to the Dutch province of Utrecht to Bogota, Colombia, according to Intel 471 data.
What’s more, Trickbot’s operators brought another dozen servers online outside the United States, in cities including Amsterdam, Berlin and Moscow, Intel 471 found.