New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


US Justice Department Accuses Latvian National of Deploying Trickbot Malware

In February 2021, Alla Witte was arrested in Miami for her involvement in creating and deploying Trickbot malware. The US Department of Justice (DoJ) charged the Latvian national for her association with the criminal organization Trickbot Group, which deployed the computer banking trojan that has come to be used as a vector to deliver other malware, including large-scale ransomware operations using Ryuk ransomware. Trickbot malware also provides cyber criminals with a means of delivering malware onto compromised machines to steal personal and financial information, including login credentials, credit card numbers, emails, passwords, dates of birth, social security numbers, and addresses. In total, Witte has been charged in 19 counts of a 47-count indictment. If convicted, she could face up to 87 years in prison.

Analyst Notes

Initially a banking trojan, Trickbot evolved to become a popular form of malware among threat actors, predominantly because it was easily modified making it ideal for multiple types of attacks. To avoid becoming a victim of an attack like Trickbot, organizations should use the latest supported versions of operating systems and software, and apply security patches promptly. Employ best practices for use of RDP and other remote desktop services by protecting them behind a strong VPN with Multi-Factor Authentication (MFA) and auditing any unusual login events from IP addresses or devices that are different from what the employee account normally uses. Provide social engineering and phishing training to employees. Urge them not to open suspicious emails, not to click on links or open attachments contained in such emails, and to be cautious before visiting unknown websites. It is important to have a Security Operations Center or a managed security monitoring service with expert security analysts on duty, such as the Binary Defense Security Operations Task Force. The Task Force provides a 24/7 monitoring solution of SIEM and endpoint detection systems to detect and defend from intrusions on an organization’s network.