US arrested Latvian woman who developed part of Trickbot malware

Pierluigi Paganini June 05, 2021

The US Department of Justice (DOJ) announced the arrest of a Latvian woman for her alleged role in the development of the Trickbot malware.

The US Department of Justice (DOJ) announced the arrest of Alla Witte (aka Max), a Latvian woman that was charged for her alleged role in the development of the Trickbot malware.

Alla Witte was arrested on February 6 in Miami, Florida, she has been charged with 19 counts of a 47-count indictment.

“Alla Witte, aka Max, 55, is charged in 19 counts of a 47-count indictment, which accuses her of participating in a criminal organization referred to as the “Trickbot Group,” which deployed the Trickbot malware.” reads the press release published by the DoJ. “The Trickbot Group operated in Russia, Belarus, Ukraine, and Suriname, and primarily targeted victim computers belonging to businesses, entities, and individuals, including those in the Northern District of Ohio and elsewhere in the United States. Targets included hospitals, schools, public utilities, and governments. Witte, who previously resided in Paramaribo, Suriname, was arrested on Feb. 6, in Miami, Florida.”

Witte was a member of the development team of the Trickbot Group, she developed the code for the deployment and the control of the threat. Witte also worked on the code for payments and developed the tools and protocols used to store login credentials stolen by the malware from victims’ systems.

Once infected a system, the ransomware informed victims that their files were encrypted demanded the payment of a Bitcoin ransom to decrypt them.

Trickbot infected millions of victim computers worldwide, its operators used the malicious code to steal banking credentials from victims and deliver ransomware.

TrickBot is a popular banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features. The TrickBot botnet was also used to distribute Ryuk and Conti ransomware onto the network of corporate targets. The Trickbot gang operated in Russia, Belarus, Ukraine, and Suriname.

In October, Microsoft’s Defender team, FS-ISACESETLumen’s Black Lotus LabsNTT, and Broadcom’s cyber-security division Symantec joined the forces and announced a coordinated effort to take down the command and control infrastructure of the infamous TrickBot botnet.

Even if Microsoft and its partners have brought down the TrickBot infrastructure TrickBot operators attempted to resume the operations by setting up new command and control (C&C) servers online.

TrickBot botnet

Following the takedown, the operators behind the malware have implemented several improvements to make it more resilient.

A few days after the TrickBot takedown, Netscout researchers spotted a new TrickBot Linux variant that was used by its operators.

“Witte and her associates are accused of infecting tens of millions of computers worldwide, in an effort to steal financial information to ultimately siphon off millions of dollars through compromised computer systems,” said Special Agent in Charge Eric B. Smith of the FBI’s Cleveland Field Office. “Cyber intrusions and malware infections take significant time, expertise, and investigative effort, but the FBI will ensure these hackers are held accountable, no matter where they reside or how anonymous they think they are.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment