According to the indictment against a developer, the organization behind the Trickbot malware operation infected more than one million systems in nearly a dozen countries/regions, including malware experts, freelance developers, and pay-as-you-go mules Wait for participants. Kaifeng this week.
The details of the indictment against Latvian national Alla Witte portray a large organization, mainly a temporary organization, which has expanded its operations to include nearly 20 different participants, and possibly more. The group posed programming questions to potential developers, discussed which programmers suit their needs, and used various cybercrime services to improve their operations.
Adam Kujawa, Director of Malwarebytes Labs, said that the degree to which the various members of the team are assigned specific roles is impressive.
“There is a group that compiles the malware, and then they pass it to the group that encrypts the malware, and then passes it to the person who distributes the malware, etc.,” he said. “The fact that these people provide services to developers through Russian job sites means that their business scale is too large for the talent pool in the cybercrime world.”
The operators of the Trickbot malware have achieved such great success that the U.S. government and industry’s joint efforts to cancel the program in October basically failed, and the operators quickly recovered from the interruption.
However, the slightly abridged indictment shows that US investigators have access to communications between many people behind the operation. Two participants whose names have been deleted discussed the need to use servers located in the United States as a way to hide their origins.
“They should say thank you [sic] For us, for those who steal money from Americans, we deserve the Medal of Valor,” one wrote.
In November 2015, Russian officials allegedly arrested a group involved in the operation of a malware called Dyre, which operates on the 25th Floor of the film company. According to Witte’s indictment, Dyre’s arrest did not lead to charges. Within a month, the people behind the malware were rapidly rebuilding the infrastructure to lay the foundation for the Trickbot group.
On December 7, 2015, a co-conspirator designated as CC8 in the indictment wrote: “We are restoring everything bit by bit.”
“Yes, it is hard work, but I believe everything will be restored,” another responded.
The indictment alleges that the Trickbot team used programming and hacking tests to find willing and suitable candidates for development and hacking positions in the organization, and one of its members referred to it as a “company.” If candidates are unwilling to carry out “black hat” hacking, the “leadership” of the organization’s decision group will reject them. “If they ask other questions, this person [sic] Not suitable,” CC8 wrote.
Throughout the life cycle of Trickbot, the operation used a large number of cybercrime services, including at least four services for anti-virus scanning. In one case, the team used Virus Checkmate (VCM) to create an account and then uploaded more than 43,000 files for the service to check.
Witte was referred to as a Russian national in the indictment and began development for the group in October 2018.
From 2017 to 2019, Trickbot Group tried to initiate at least 29 wire transfers, ranging from US$44,800 to US$691,570.The indictment does not state how many (if any) transfers were successful
Malwarebytes’ Kujawa stated that although Trickbot and other cybercriminal groups have dismissed many attempts to disrupt its operations and arrest its members, the current indictment shows that the government’s continued attention to these groups appears to be having an impact.
“The government is now taking more measures to hunt down the financial resources of these groups, whether through legal means or some shady means, and it seems that there are many such people at large,” he said. “We are now dealing with organized criminal groups-a member of a chat log referred to the Trickbot gang as a “company”-so instead of using fire and fire to defeat the bad guys, it seems that trying to steal is more effective instead of them. Fuel.”
With the delisting of Emotet and the withdrawal of the ransom by the DarkSide organization, Kujawa saw that “the dominance of cybercriminals will weaken in the future, and they will evade global law enforcement more.”
A senior technical reporter for more than 20 years. Former research engineer. Contributed to more than two dozen publications, including CNET News.com, Dark Reading, MIT Technology Review, Popular Science, and Wired News.Five journalism awards, including the best deadline… View full bio