The group behind the Trickbot malware operation, which infected more than a million systems in nearly a dozen countries, includes malware experts, freelance developers, and pay-as-you-go money mules, among other participants, according to an indictment against one developer unsealed this week.
Details from the indictment against Latvian national Alla Witte — charged with being a developer with the group — paints a picture of a sprawling, and largely ad hoc, organization that expanded its operations to include almost 20 different participants, and probably more. The group gave programming problems to potential developers, discussed which programmers suited their needs, and used a variety of cybercrime services to improve their operations.
The degree to which various members of the group were assigned specific roles is impressive, says Adam Kujawa, director of the labs at Malwarebytes.
"There is the group that compiles the malware, then they pass it to the group that encrypts the malware, then they pass it to the person who distributes the malware, etc.," he says. "The fact that these folks were reaching out via Russian job sites for developers means that their operation grew too large for the talent pool of the cybercrime world."
The operators of the Trickbot malware have had significant success, so much so that a combined US government-and-industry effort to take down the program in October largely failed, with the operators recovering from the disruption very quickly.