Infamous botnet Trickbot, supposedly taken down by Microsoft Corp. in October, has returned from the dead with a new campaign targeting virtual network computing services.

That Trickbot is back comes as no great surprise. The group has risen from the dead before, most notably in in 2019 when the campaign was called season four of Trickbot and compared to a zombie television series.

TrickBot dates back to 2016 and exists on a network of more than 1 million machines. Initially used to target banking credentials with malware of the same name, TrickBot has since evolved several times.

In 2017 a new version went after niche financial institutions. In 2018 another new variant targeted cryptocurrency accounts. Then in 2019 it targeted email accounts in a phishing campaign. And in March 2020, Ostap Trojan-Downloader, yet another variant, was detected in COVID-19 scams.

Not unlike zombies, Trickbot is hard to kill. Although Microsoft Corp. led efforts that are claimed to have disrupted Trickbot last year, they’re now back again.

As detailed Tuesday by researchers at Bitdefender, Trickbot is described as being more active than ever. The return of Trickbot was first detected in May distributing an updated version of the vncDLL module used to select high-profile targets.

The module, called tvncDll, is used for monitoring and intelligence gathering. According to the researchers, it seems to be still under development since it is frequently updated, including bug fixes and additional features.

In a sure sign that Trickbot is back, command-and-control servers being used by the resurrected bot were also found across North America, Europe, India and New Zealand. The number of compromised machines was not detailed.

A botnet typically compromises hundreds, thousands or sometimes millions of machines and corrals them into a network used to run criminal operations. A botnet can be used for multiple purposes but most typically for distributed denial-of-service attacks that involve flooding a target with excess traffic to knock them offline. Other uses include the distribution of malware and spam.

The return of Trickbot does prove one point, however. Targeting cybercrime and cybercriminals is a game of Whac-a-Mole. Every time people are arrested or groups are allegedly taken down, others or even the same people return again and again.

Photo: U.S. Air Force