The US Department of Justice (DOJ) just announced that it has charged a 55-year-old Latvian woman, who went by the moniker of Max, with malware-writing crimes.
Max, whose real name is apparently Alla Witte, is the sixth of seven defendants listed in the DOJ’s indictment, along with ten other unknown individuals identified only as CC8 to CC17. (CC is short for co-conspirator.)
At the moment, the names of the other six defendants have been redacted from the document, so that Witte is the only one whose name has been publicly released.
(In the indictment, filed in August 2020, Witte was identified as a “national of Russia”, but the headline of the DOJ’s latest press release describes her as Latvian.)
Witte was apparently living in Suriname in South America at the time of the alleged offences, but was arrested in Miami, Florida, in February 2021, presumably while attempting to enter the US.
The indictment, which runs to 61 double-spaced pages, tells a fascinating story of how the Trickbot Group, as the DOJ refers to this cybergang, operated and evolved over a five-year period from late 2015 to the middle of 2020.
Also documented in the indictment is a laundry list of attempted financial thefts from so-called “co-operating witnesses” – eleven US companies that have come forward to help establish the nature and extent of the criminality attempted by the Trickbot Group.
The fradulent transactions attempted against those 11 companies alone add up to $6.2 million, but the DOJ says that the Trickbot malware has infected millions of computers worldwide in the broadest possible way, hitting individuals, businesses and organisations including hospitals, schools, public utilities and governments.
Trickbot is probably best known for being what’s called a banking Trojan, malware that deliberately snoops on your computer while you’re performing financial transactions in order to steal your personal information and prey on your account.
But Trickbot, as the name suggests, also acted as a bot, or zombie, malware that regularly calls home to servers operated by the criminals in order to fetch instructions on what to do next.
Trickbot would also go hunting for other computers to to infect on your network, acting as what’s known as a virus or worm, in order to increase its foothold and improve its yield.
As you probably know, almost all bots or zombies include a function by which they can install and activate additional malware, and the Trickbot Group took particular advantage of this “feature” in its own code by using existing Trickbot infections not only to go after your bank accounts but also to launch ransomware attacks on your network.
As the indictment explains, the Trickbot Group stands accused of conspiring to:
The last of these activities – running a ransomware operation using zombified Trickbot computers to inject and initiate the attack – is where Witte is said to have been involved.
According to the indictment, she seems to have joined the Trickbot Group fairly recently, starting in late 2018.
Amongst other things, Witte is alleged to have “provided code to the Trickbot Group to operate and deploy the Trickbot ransomware module.”
She is also said to have “provided code […] for a web panel used to access victim data stored in a database,” where others in the Trickbot group could look up zombies currently active in the Trickbot botnet, and access data such as credit card details already stolen from infected victims.