The US Justice Department last week charged a Latvian woman it says played a key role in developing the prolific Trickbot malware and setting it loose on victims across the globe for almost seven years.
Notoriously, Alla Witte advertised her services as a freelancing developer. Since 2012 she earned a living as a developer-for-hire completing a number of projects and getting positive reviews for her work throughout the internet.
Trickbot started life as a banking trojan designed to steal passwords. But it quickly grew to become a feared and sophisticated malware enterprise with many capabilities, including ransomware delivery.
Until recently it was tightly linked with the now-defunct Emotet (taken down in January in a co-ordinated law enforcement bust); Emotet would serve as the initial infection, later dropping TrickBot onto the victim machine.
Then, in a one-two punch maneuver, Trickbot would often act as a distributor for ransomware like Ryuk or Conti. This arrangement has continued in the wake of the Emotet take-down.
Trickbot is most often delivered via malicious emails with macro-laden Office documents, usually containing a theme like COVID-19, traffic infringements or invoices, as some examples.
Its intention – aside from acting as a dropper for ransomware – is mainly to steal credentials and sensitive information in order to access bank accounts. Its other capabilities include system reconnaissance and malware propagation.
Trickbot primarily targets hospitals, schools, public services, and governments. It has infected millions and caused “extensive financial harm and inflicting significant damage to critical infrastructure” globally, including in Australia, according to US law enforcement.
The US government claims 55 year-old Alla Witte, or “Max”, was a key part of the multinational criminal organisation responsible for creating and deploying Trickbot.
The group allegedly operated across Russia, Belarus, Ukraine, and Suriname, where Witte was previously based. She was arrested in Miami, Florida.
Witte’s particular contribution to the Trickbot group involved providing the code that enabled the deployment and payment of ransomware.
She also allegedly wrote code to store stolen login credentials, and other tools that monitored and tracked authorised users of the malware.
Two of the 19 counts levied against Witte – ranging from computer fraud and wire fraud to aggravated identity theft – carry a maximum sentence of 30 years in prison.
“The FBI will ensure these hackers are held accountable, no matter where they reside or how anonymous they think they are,” the US government said in a statement.
An effort to take down Trickbot late last year was ultimately unsuccessful; the group reappeared within two months.