Back in 2016, we saw the emergence of a botnet mainstay called TrickBot. Initially observed by our Labs team spreading via malvertising campaigns, it quickly became a major problem for businesses everywhere. Whether spread by malvertising or email spam, the end result was the same. Data exfiltration and the threat of constant reinfection were the order of the day.

Over time, it evolved. Tampering with web sessions depending on mobile carrier is pretty smart. Other features such as disabling real-time monitoring from Windows Defender were also added. In fact, wherever you look, there’s the possibility of stumbling upon a TrickBot reference when digging into other attacks.

The tricky problem of “sophisticated” attacks

The word “sophisticated” is used a lot in security research. Sometimes, it’s used even if an attack being discussed is a basic phish, or maybe some very generic malware.

However, TrickBot is a pretty formidable opponent. As is often the case, the “sophisticated” part isn’t necessarily just about the files themselves. There’s also the organisation behind the scenes to contend with. We’re talking people, infrastructure, small groups of individuals all working to make some code, and keep it ticking over. To grab the exfiltrated data and make something of it. Wherever you look where TrickBot is concerned, there’s probably another cluster of specialised people up to no good. This isn’t a good thing when tackling malware developments.

“How bad is it, really?”

Have you ever stopped to consider “what, exactly, are we up against” when dealing with malware? This week’s events are a very good, and rather alarming, illustration.

What happened this week, you ask? That would be a potentially major blow to the TrickBot crew. A Latvian woman has been charged for their alleged role in a transnational cybercrime organisation. That organisation, as you’ll have guessed, is all about TrickBot shenanigans. What’s particularly interesting here, is how it illuminates just how much work goes into development. It isn’t one person sitting in their bedroom. It’s an actual criminal enterprise, run as a business, with lots of different divisions and moving parts.

There are malware managers in hiring roles, hiring developers to produce the files. This is done on Russian language job websites, and made to look as if it’s for “regular” coding jobs. 

There’s folks looking after finances, and testing malware against CAV services. Money mules and spear phishing are thrown into the mix alongside social engineering and international theft of money, personal, and confidential information.

Peeling back the TrickBot onion

This is just skimming the surface of what was happening under the hood. An entire infrastructure was created, with servers, VPNs, and VPS providers combined by the TrickBot crew to create the perfect malware deployment environment. That’s before you get to the crypters, hired to help evade detection from security software. Or how about those responsible for the spamming tools? The folks monitoring bank website flows to figure out how to defeat multi-factor encryption? There’s even someone creating coding tests, to ensure potential malware author hires know what they’re doing in terms of injections.

Make no mistake, the groups infecting millions of computers worldwide and making huge amounts of money aren’t doing it by accident. What cases like United States of America v. Alla Witte show us is that it’s efficient, structured, and very organised indeed.

The basic plan? Infect computers with TrickBot, spread across networks, grab banking details, and then steal funds. Said funds would then be laundered across a variety of bank accounts “controlled by the defendant and others”. Ransomware would also be deployed, for that final splash of cash.

As touched on above, the group hired experts in a variety of cybercrime fields. This was a perfect accompaniment to the modular, ever-evolving TrickBot. This itself was built upon the framework of the older Dyre malware, with all the years of experience and field expertise you’d expect coming along for the ride.

Evading the long arm of the law

Certain elements of the team helped evade detection by making use of multiple tricks to keep out of law enforcement’s reach. Stolen credit cards and fake identities paid for behind the scenes tech like servers and domains. Multiple proxies were used for communications purposes. Emails and attachments were encrypted, and chat in a private messaging server was also locked down. Multiple VPN services made use of around the world are the final anonymous splashes of icing on a very large cake.

Big scams, big numbers

The full arrest warrant document [PDF] is roughly 60 pages long, and contains an incredible amount of information. It breaks everything down by category, explaining how the malware and its injections worked. How the multi-stage laundering took place, including dates / transaction amounts. The wire transfers listed range from $44,900 to $230,400 across most of 2017 to 2018. There’s even an incredible attempted approximate wire transfer of $691,570,000 between the 19 and 20 October, 2017.

It’s possible time has now been called on this TrickBot crew. No matter what happens, you can be sure other groups are out there right now doing much the same things. A few of them will be just as big, just as well organised, and firing even bigger plundered sums of cash around banking infrastructure.

Next time you read about a piece of malware in the news, consider the sobering thought that it is the tip of a very long spear. An in-depth process lies under the surface keeping said malware in operation. How bad is it really? What, exactly, are we up against?

The answer is: all of the above, and more.