Latvian Trickbot Malware Developer

The U.S. Department of Justice (DoJ) on Friday charged a Latvian woman for her alleged role as a programmer in a cybercrime gang that helped develop TrickBot malware.

The woman in question, Alla Witte, aka Max, 55, who resided in Paramaribo, Suriname, was arrested in Miami, Florida on February 6. Witte has been charged with 19 counts, including conspiracy to commit computer fraud and aggravated identity theft, wire and bank fraud affecting a financial institution, and money laundering.

According to heavily redacted court documents released by the DoJ, Witte and 16 other unnamed cohorts have been accused of running a transnational criminal organization to develop and deploy a digital suite of malware tools with an aim to target businesses and individuals worldwide for theft and ransom.

Cybersecurity

Since its origin as a banking Trojan in late 2015, TrickBot has evolved into a "crimeware-as-a-service" capable of pilfering valuable personal and financial information and even dropping ransomware and post-exploitation toolkits on compromised devices, in addition to recruiting them into a family of bots. The group is said to have primarily operated out of Russia, Belarus, Ukraine, and Suriname.

Largely propagated through phishing and malspam attacks, TrickBot is designed to capture online banking login credentials and hoover other personal information, such as credit card numbers, emails, passwords, dates of birth, social security numbers, and addresses, with the captured credentials abused to gain illicit access to online bank accounts, execute unauthorized electronic funds transfers, and launder the money through U.S. and foreign beneficiary accounts.

TrickBot also emerged on the threat landscape coinciding with the disbanding of the malware crew behind Dyre after the latter's rapid rise to prominence was curtailed in November 2015, when Russia's Federal Security Service (FSB) purportedly made numerous arrests of individuals suspected of being part of the group.

"In the months and years following the Russian authorities' purported actions, the Dyre actors regrouped and created a new suite of malware tools known as Trickbot," the DoJ said.

Accusing the defendants of plundering money and confidential information from unsuspecting businesses and financial institutions in the U.S., U.K., Australia, Belgium, Canada, Germany, India, Italy, Mexico, Spain, and Russia, the DoJ said Witte was a malware developer "overseeing the creation of code related to the monitoring and tracking of authorized users of the Trickbot malware, the control and deployment of ransomware, obtaining payments from ransomware victims, and developing tools and protocols for the storage of credentials stolen and exfiltrated from victims infected by Trickbot."

TrickBot notably suffered a huge blow to its infrastructure following twin efforts led by the U.S. Cyber Command and Microsoft to eliminate 94% of its command-and-control (C2) servers that were in use as well as any new servers the criminals operating TrickBot attempted to bring online to replace the previously disabled servers.

Cybersecurity

But these takedowns have only served as a temporary solution. Not only has the malware proven to be resilient to law enforcement actions, the operators have also bounced back by adjusting tactics and hosting their malware in other criminal servers that make use of Mikrotik routers.

"Witte and her associates are accused of infecting tens of millions of computers worldwide, in an effort to steal financial information to ultimately siphon off millions of dollars through compromised computer systems," said Special Agent in Charge Eric B. Smith of the FBI's Cleveland Field Office. "Cyber intrusions and malware infections take significant time, expertise, and investigative effort, but the FBI will ensure these hackers are held accountable, no matter where they reside or how anonymous they think they are."

If convicted on all charges, Witte faces a maximum penalty of no fewer than 90 years in prison.


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.