We research. You level up.
Protect your devices, your data, and your privacy—at home or on the go.
“Thanks to the Malwarebytes MSP program, we have this high-quality product in our stack. It’s a great addition, and I have confidence that customers’ systems are protected.”
Featured Event: RSA 2021
Activate Malwarebytes Privacy on Windows device.
Back in 2016, we saw the emergence of a botnet mainstay called TrickBot. Initially observed by our Labs team spreading via malvertising campaigns, it quickly became a major problem for businesses everywhere. Whether spread by malvertising or email spam, the end result was the same. Data exfiltration and the threat of constant reinfection were the order of the day.
Over time, it evolved. Tampering with web sessions depending on mobile carrier is pretty smart. Other features such as disabling real-time monitoring from Windows Defender were also added. In fact, wherever you look, there’s the possibility of stumbling upon a TrickBot reference when digging into other attacks.
The word “sophisticated” is used a lot in security research. Sometimes, it’s used even if an attack being discussed is a basic phish, or maybe some very generic malware.
However, TrickBot is a pretty formidable opponent. As is often the case, the “sophisticated” part isn’t necessarily just about the files themselves. There’s also the organisation behind the scenes to contend with. We’re talking people, infrastructure, small groups of individuals all working to make some code, and keep it ticking over. To grab the exfiltrated data and make something of it. Wherever you look where TrickBot is concerned, there’s probably another cluster of specialised people up to no good. This isn’t a good thing when tackling malware developments.
Have you ever stopped to consider “what, exactly, are we up against” when dealing with malware? This week’s events are a very good, and rather alarming, illustration.
What happened this week, you ask? That would be a potentially major blow to the TrickBot crew. A Latvian woman has been charged for their alleged role in a transnational cybercrime organisation. That organisation, as you’ll have guessed, is all about TrickBot shenanigans. What’s particularly interesting here, is how it illuminates just how much work goes into development. It isn’t one person sitting in their bedroom. It’s an actual criminal enterprise, run as a business, with lots of different divisions and moving parts.
There are malware managers in hiring roles, hiring developers to produce the files. This is done on Russian language job websites, and made to look as if it’s for “regular” coding jobs.
There’s folks looking after finances, and testing malware against CAV services. Money mules and spear phishing are thrown into the mix alongside social engineering and international theft of money, personal, and confidential information.
This is just skimming the surface of what was happening under the hood. An entire infrastructure was created, with servers, VPNs, and VPS providers combined by the TrickBot crew to create the perfect malware deployment environment. That’s before you get to the crypters, hired to help evade detection from security software. Or how about those responsible for the spamming tools? The folks monitoring bank website flows to figure out how to defeat multi-factor encryption? There’s even someone creating coding tests, to ensure potential malware author hires know what they’re doing in terms of injections.
Make no mistake, the groups infecting millions of computers worldwide and making huge amounts of money aren’t doing it by accident. What cases like United States of America v. Alla Witte show us is that it’s efficient, structured, and very organised indeed.
The basic plan? Infect computers with TrickBot, spread across networks, grab banking details, and then steal funds. Said funds would then be laundered across a variety of bank accounts “controlled by the defendant and others”. Ransomware would also be deployed, for that final splash of cash.
As touched on above, the group hired experts in a variety of cybercrime fields. This was a perfect accompaniment to the modular, ever-evolving TrickBot. This itself was built upon the framework of the older Dyre malware, with all the years of experience and field expertise you’d expect coming along for the ride.
Certain elements of the team helped evade detection by making use of multiple tricks to keep out of law enforcement’s reach. Stolen credit cards and fake identities paid for behind the scenes tech like servers and domains. Multiple proxies were used for communications purposes. Emails and attachments were encrypted, and chat in a private messaging server was also locked down. Multiple VPN services made use of around the world are the final anonymous splashes of icing on a very large cake.
The full arrest warrant document [PDF] is roughly 60 pages long, and contains an incredible amount of information. It breaks everything down by category, explaining how the malware and its injections worked. How the multi-stage laundering took place, including dates / transaction amounts. The wire transfers listed range from $44,900 to $230,400 across most of 2017 to 2018. There’s even an incredible attempted approximate wire transfer of $691,570,000 between the 19 and 20 October, 2017.
It’s possible time has now been called on this TrickBot crew. No matter what happens, you can be sure other groups are out there right now doing much the same things. A few of them will be just as big, just as well organised, and firing even bigger plundered sums of cash around banking infrastructure.
Next time you read about a piece of malware in the news, consider the sobering thought that it is the tip of a very long spear. An in-depth process lies under the surface keeping said malware in operation. How bad is it really? What, exactly, are we up against?
The answer is: all of the above, and more.
SHARE THIS ARTICLE
July 21, 2021 – ZeuS is an infamous banking Trojan that infected millions of systems, and stole billions of dollars.
March 2, 2021 – French researchers have found a Ryuk ransomware variant that can spread laterally through an infected network.
February 9, 2021 – The Matryosh botnet goes after Android devices that have ADB enabled and uses them in orchestrated DDoS attacks.
Malware | Threat analysis | Threat Intelligence
January 29, 2021 – Following global law enforcement action to take over the Emotet botnet, a special update is being sent to clean up infected machines.
January 27, 2021 – The world’s most dangerous malware has suffered a serious blow in a coordinated strike by multiple law enforcement agencies.
ABOUT THE AUTHOR
Write for Labs
Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.
Imagine a world without malware. We do.
NEWS AND PRESS
© All Rights Reserved
Select your language
Your intro to everything relating to cyberthreats, and how to stop them.