Latvian woman charged with writing malware for the Trickbot Group

The US Department of Justice (DOJ) just announced that it has charged a 55-year-old Latvian woman, who went by the moniker of Max, with malware-writing crimes.

Max, whose real name is apparently Alla Witte, is the sixth of seven defendants listed in the DOJ’s indictment, along with ten other unknown individuals identified only as CC8 to CC17. (CC is short for co-conspirator.)

At the moment, the names of the other six defendants have been redacted from the document, so that Witte is the only one whose name has been publicly released.

(In the indictment, filed in August 2020, Witte was identified as a “national of Russia”, but the headline of the DOJ’s latest press release describes her as Latvian.)

Witte was apparently living in Suriname in South America at the time of the alleged offences, but was arrested in Miami, Florida, in February 2021, presumably while attempting to enter the US.

The indictment, which runs to 61 double-spaced pages, tells a fascinating story of how the Trickbot Group, as the DOJ refers to this cybergang, operated and evolved over a five-year period from late 2015 to the middle of 2020.

Also documented in the indictment is a laundry list of attempted financial thefts from so-called “co-operating witnesses” – eleven US companies that have come forward to help establish the nature and extent of the criminality attempted by the Trickbot Group.

The fradulent transactions attempted against those 11 companies alone add up to $6.2 million, but the DOJ says that the Trickbot malware has infected millions of computers worldwide in the broadest possible way, hitting individuals, businesses and organisations including hospitals, schools, public utilities and governments.

Trojan, zombie and worm…

Trickbot is probably best known for being what’s called a banking Trojan, malware that deliberately snoops on your computer while you’re performing financial transactions in order to steal your personal information and prey on your account.

But Trickbot, as the name suggests, also acted as a bot, or zombie, malware that regularly calls home to servers operated by the criminals in order to fetch instructions on what to do next.

Trickbot would also go hunting for other computers to to infect on your network, acting as what’s known as a virus or worm, in order to increase its foothold and improve its yield.

As you probably know, almost all bots or zombies include a function by which they can install and activate additional malware, and the Trickbot Group took particular advantage of this “feature” in its own code by using existing Trickbot infections not only to go after your bank accounts but also to launch ransomware attacks on your network.

As the indictment explains, the Trickbot Group stands accused of conspiring to:

  • Infect victims’ computers with Trickbot malware designed to capture victims’ online banking login credentials.
  • Obtain and harvest other personal identification information, including credit cards, emails, passwords, dates of birth, social security numbers, and addresses.
  • Infect other computers networked with the initial victim computer;
  • Use the captured login credentials to fraudulently gain unauthorized access to victims’ online accounts at financial institutions.
  • Steal funds from victims’ bank accounts and launder those funds using US and foreign beneficiary bank accounts provided and controlled by conspirators.
  • Infect victims’ computers with ransomware.

The last of these activities – running a ransomware operation using zombified Trickbot computers to inject and initiate the attack – is where Witte is said to have been involved.

According to the indictment, she seems to have joined the Trickbot Group fairly recently, starting in late 2018.

Amongst other things, Witte is alleged to have “provided code to the Trickbot Group to operate and deploy the Trickbot ransomware module.

She is also said to have “provided code […] for a web panel used to access victim data stored in a database,” where others in the Trickbot group could look up zombies currently active in the Trickbot botnet, and access data such as credit card details already stolen from infected victims.

What to do?

  • If you’re a contract programmer, don’t be tempted to take on coding jobs that you aren’t sure about. You could end up getting sucked into a world where you oughtn’t, and probably don’t want, to be. (The indictment details how Trickbot co-conspirators discussed rewording their “job ads” to sound less obviously criminal so that their postings wouldn’t get banned.)
  • If you’re looking to work from home, never hand over your CV (resume) or fill in job applications for companies whose legal provenance you aren’t absolutely certain about. Gangs like the Trickbot Group rely on recruiting “assistants”, disparagingly known as money mules, who are willing to process funds through their personal accounts without asking too many questions about where the money came from. If you do this and get caught, it’s possible that you will end up in prison and almost certain that you will end up out of pocket.
  • Consider an anti-virus that includes network filtering and exploit prevention as well as traditional malware blocking. Malware like Trickbot uses a variety of techniques to operate, including making regular outgoing web requests for new instructions, actively interfering with software such as your browser in order to steal data from it, and attempting to copy itself across your network. Security software that offers what’s known as defence in depth can protect you against any and all of these tricks, giving you multiple ways to find and block cyberthreats.