Trickbot is both a sophisticated trojan malware and the alleged cybercrime syndicate that developed it. The malware was historically deployed to steal banking credentials but its capabilities were later expanded to create a complete modular malware ecosystem. In a report release yesterday the British cybersecurity firm Cyjax analyzed a trove of leaked documents revealing the inner workings of the Trickbot group. The documents have been described as possibly containing the most comprehensive breakdown of an alleged international cybercrime syndicate and were instantly dubbed the Trickbot Leaks. The report comes a year after the arraignment of a Trickbot developer on charges of conspiracy to commit computer fraud and aggravated identity theft.

1. Introduction

Trickbot is commonly attributed to a specific threat actor called Wizard Spider (Crowdstrike), UNC1778 (FireEye) or Gold Blackburn (Secureworks). Described as a “popular and modular Trojan” initially used to target the banking industry, it has been subsequently deployed to compromise companies from other sectors and delivers several types of payloads. (here) The cybersecurity concern is that malware developers continuously release new, modular versions of the malware that can be distributed through botnets. In a study by BitSight, researchers found “home office networks were 3 1/2 times more likely than a corporate network to have a malware infection and TrickBot malware was observed at least 3 3/4 times more frequently on home office networks.” (here) Developed in 2016, Trickbot has many original features inspired by Dyreza and is suspected of having links with Russian intelligence agencies. Besides targeting international banks by way of its web injects, Trickbot can also steal from Bitcoin wallets. (here) Other capabilities include harvesting emails, installing backdoors and downloading other malware such as Emotet.

2. How Trickbot Works

On January 7, 2022, cybersecurity firm CrowdStrike, based in Austin, Texas, published a post to its website titled What Is Trickbot Malware? (here) While the Trickbot malware is known for its “evolution and adaptation”, the post emphasized that many campaigns follow this basic sequence: (1) the Trickbot malware is delivered to the target either through an infected link or attachment; (2) once downloaded to the infected device, the user is prompted to enable macros, which installs the Trickbot binary and the malware then uses various models to infect the network and steal data; (3) the Trickbot operators may also attempt to disable antivirus software to set the stage for future attacks; (4) Trickbot can spread the malware laterally throughout the network by exploiting a Server Message Block vulnerability as part of a secondary attack; (5) a follow up attack such as a Ryuk ransomware attack is then deployed; (6) the attackers manually delete or encrypt backup files and twins; and, (7) Ryuk encrypts all system data and initiates the ransomware attack path. The user rarely notices symptoms of an infection as the malware is intended to operate surreptitiously.

3. The Indictment

On June 4, 2021, the United States Department of Justice announced that Alla Witte, a Latvian national, was arraigned on multiple charges accusing her of participation in a criminal organization referred to as the “Trickbot Group” that purportedly operated in Russia, Belarus, Ukraine and Suriname. (here) She had been arrested on February 6, 2021, in Miami, Florida. The indictment, filed in the United States District Court, Northern District of Ohio, on August 13, 2020, was unsealed on February 8, 2021, after Ms. Witte was arrested. It alleges that she and co-conspirators deployed Trickbot malware to infect tens of millions of computers worldwide in an effort to steal financial information and siphon off millions of dollars from businesses and their financial institutions in the United States and other countries including the United Kingdom, Australia, Canada, Belgium and Italy. Ms. Witte is charged in 19 counts of the heavily redacted 47-count indictment including conspiracy to commit computer fraud and aggravated identity theft, conspiracy to commit wire and bank fraud, and conspiracy to commit money laundering.

The indictment alleges that an online banking trojan called “Dyre” was operated by unknown individuals based in Moscow, Russia, that began targeting non-Russian businesses and entities in mid-2014. In November 2015, Russian authorities arrested numerous individuals at “25th Floor”, a film company based in Moscow and associated with Dyre. Although Dyre activity slowed after the Russian action, no charges against members of the Dyre network or 25th Floor were made public. Over the years following the purported Russian actions, the Dyre actors regrouped and created a new suite of malware tools called “Trickbot”. Since November 2015, Ms. Witte and her associates are alleged to have been part of the “transnational organized cybercrime network” and stole money and confidential information from victims in multiple countries through the use of Trickbot malware. (para. 41)

The indictment asserts that Trickbot is a “modular, multi-function suite of malware tools” designed in part to automate the theft of confidential personal and financial information, such as online banking credentials, from infected computers through the use of web injects and keystroke logging. The defendants then used these credentials to gain unauthorized access to the targeted bank accounts and transfer funds to accounts under their control. Later versions of Trickbot were adapted to facilitate the installation and use of ransomware. The defendants used the framework and code from Dyre to establish the basis for the Trickbot malware. (paras. 45 and 50) Specifically, the aim of the conspirators was to achieve the following:

• infect victims’ computers with Trickbot malware designed to capture online banking login credentials;
• harvest other personal identification information including credit cards, emails, passwords, dates of birth, social security numbers and addresses;
• infect other computers connected to the victim computer;
• use the captured login credentials to fraudulently gain unauthorized access to victims’ online bank accounts;
• steal funds from victims’ bank accounts and launder those funds using U.S. and foreign beneficiary bank accounts provided and controlled by the defendants and others; and,
• install ransomware on victim computers.

The defendants used a network of associates who provided specialized services and technical skills in furtherance of the scheme that included soliciting and recruiting malware developers; purchasing and managing servers from which to test, operate and deploy the Trickbot malware; encrypting the malware to avoid detection by anti-virus software; engaging in spamming, phishing and spear-phishing campaigns against potential victims; and, coordinating the receipt and laundering of funds from the victims to the defendants and others. (para. 44)

4. Who is Alla Witte?

With a degree in applied mathematics from the University of Latvia, Ms. Witte remains an enigmatic figure in the world of black hats. She was born in Soviet-era Rostov-on-Don, later moving to Riga and then took her interest in technology and passion for programing to the small South American country, Suriname. (here) Her transformation from an “amateur developer” to a “key cog” in an alleged cybercrime organization has perplexed cybersecurity experts since her arrest in Miami and transfer to Cleveland. According to Alex Holden, the founder of the cyber-investigations firm, Hold Security, Ms. Witte began using her personal website in 2020 to distribute Trickbot malware. By that time, her associates inside Trickbot were familiar with her pseudonym “Max” and referred to her “almost like they would address their mothers.” (here) In late 2019, she infected one of her own computers with Trickbot malware allowing it to steal and log her data within the botnet interface.

The story of Ms. Witte’s arrest prompted investigative journalist Brian Krebs to publish a post to his blog, KrebsOnSecurity, dated June 15, 2021, in which he asked how a self-employed web site designer and mother of two came to work for an alleged cybercrime group and then leave a trail of clues about her involvement? (here) The indictment itself dedicates several pages to a description of the hiring processes of the Trickbot group. (paras. 102-129) As Mr. Krebs pointed out, the model adopted by Trickbot allowed recruiters to hire a steady stream of talented developers cheaply and covertly. “But it also introduce[d] the very real risk that new recruits may offer investigators a way to infiltrate the group’s operations, and possibly even identify co-conspirators,” he concluded.

5. The Cyjax Report

On February 25, 2022, the day after Russia invaded Ukraine, the Conti ransomware group released a post announcing its support for the Russian government. According to intelligence analyst, Joe Wrieden, in the report titled Who is Trickbot? posted to the Cyjax blog yesterday, the Conti statement caused “shockwaves” in both the intelligence community and within Conti itself. (here) Many members of Conti were unhappy with the decision, either not wanting to be associated with Russia or because they are Ukrainians. Conti retracted the statement two days later saying it only wanted to target “Western warmongers” and “[do] not ally with any governments and […] condemn the ongoing war”. However, the reversal was not enough for most members. On February 27, 2022, a Twitter account @ContiLeaks began posting links to logs of internal communications by the group containing over 60,000 messages. The leak caused unrest within the group, with the @ContiLeaks account tweeting: “We know everything about you Conti, go to panic, you can[‘t] even trust your gf, we against you!”.

On March 4, 2022, another Twitter account @trickleaks appeared posting this tweet: “We have evidence of the FSB’s cooperation with members of the Trickbot criminal group (Wizard Spider, Maze, Conti, Diavol, Ruyk)”. Tweets then appeared containing links to internal communications from members of the Trickbot group. These leaks, referred to by Mr. Wrieden as the “Trickbot Leaks”, were posted “increasingly quickly” as thirty-five believed members’ messages were uploaded over a two-month period leading to a total of over 1,000 communication extracts. Each file consists of a direct communication or a group chat ranging in size. Some files contain nearly 10,000 messages. In total, there are approximately 250,000 messages containing over 2,500 IP addresses, around 500 potential crypto wallet addresses and thousands of domains and email addresses. In addition to the messages, “Doxing PDF” files were leaked containing information about individual members including full names, addresses and identification numbers. “This leak was like nothing seen before and gave cyber threat intelligence researchers unprecedented access to the Trickbot organization,” Mr. Wrieden said.

6. Conclusion

In an article titled Inside The Russian Cybergang Thought To Be Attacking Ukraine – The Trickbot Leaks published by Forbes yesterday, senior contributor Davey Winder described the Trickbot leaks as “possibly the most comprehensive breakdown of a significant international cybercrime syndicate I’ve seen.” (here) But in a post to CyberScoop titled A look inside Russian cybercrime syndicate Trickbot reveals an organized, potent adversary, A.J. Vicens emphasized the conclusions of Cyjax that although the leaks are a blow to the syndicate, “Trickbot continues to be a menace, especially in Ukraine.” (here)