Another alleged member of the TrickBot gang has been apprehended, this time when trying to leave South Korea, according to published reports.
The Russian national, who is an alleged developer of the notorious crimeware, reportedly had been trapped in South Korea since February 2020 due to COVID-19 travel restrictions. Seoul-based news outlet KBS News reported that the individual, identified only as “Mr A”, was arrested at a South Korea airport last week. Mr. A is believed to have worked as a web browser developer for the TrickBot crime syndicate while he lived in Russia in 2016.
Recorded Future’s The Record, who reported on the incident, cited the KBS report and said the accused criminal hacker was forced to spend more than a year in South Korea in order to renew his passport delaying his departure.
His arrest was the result of an investigation U.S. authorities began into TrickBot during his time in South Korea after the botnet was used “to facilitate ransomware attacks across the US throughout 2020,” according to the report.
Ever-Evolving Threat
TrickBot is a sophisticated malware first developed in 2016 to steal online banking credentials. Since then, it has evolved as operators have added new features.
The malware, once a simple banking trojan, is now a module-based crimeware platform leased as a malware-as-a-service solution to cybercriminals. TrickBot is typically leveraged against corporations and public infrastructure. The evolution and success of the TrickBot platform has pushed authorities to crack down on the criminals behind TrickBot beginning last year.
In February, authorities took alleged TrickBot developer Alla Witte into custody in Miami. Witte is known in cybercrime circles as “Max” and a main TrickBot coder, according to the Department of Justice (DoJ). Witte is believed responsible for developing TrickBot’s ransomware-related functionality, including control, deployment and payments, authorities said at the time of her arrest.
Her colleague, Mr. A, was arraigned in a Seoul court last Wednesday on an international arrest warrant and extradition request to the United States, according to The Record, citing the KBS news report. However, the suspect is fighting the extradition, with his lawyer claiming that if it happens, Mr. A “will be subjected to excessive punishment,” according to the report.
Industry-Driven Disruption
Prior to the official investigation and crackdown by the DoJ and related arrests, an earlier attempt to foil TrickBot’s operations came from Microsoft and some technology partners.
Last October, the tech giant and others used a court order they’d obtained to cut off key infrastructure to TrickBot operations so its operators no longer could initiate new infections or activate ransomware already dropped into computer systems.
Microsoft, ESET, Lumen’s Black Lotus Labs, NTT Ltd., Symantec and others were responsible for the coordinated legal and technical action to disrupt the group’s activity–which turned out to be a temporary scenario as TrickBot’s cybercriminals soon regrouped and resumed operations.
It’s time to evolve threat hunting into a pursuit of adversaries. JOIN Threatpost and Cybersixgill for Threat Hunting to Catch Adversaries, Not Just Stop Attacks and get a guided tour of the dark web and learn how to track threat actors before their next attack. REGISTER NOW for the LIVE discussion on Sept. 22 at 2 p.m. EST with Cybersixgill’s Sumukh Tendulkar and Edan Cohen, along with independent researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.
