Alleged Trickbot Developer Arrested in South KoreaRussian Gang Member Was Stranded After COVID-19 Restriction
A Russian citizen, alleged to be working as a developer for the malware-spreading organization Trickbot, reportedly has been arrested at Seoul-Incheon International Airport. He was questioned by Korean authorities following an extradition request from the U.S.
A report from the South Korean news outlet KBS News says the Russian was involved in developing code for the Trickbot malware gang.
The man, who is being identified as "A," was arrested while trying to leave South Korea to return to Russia after having been stranded in Korea for more than a year and a half due to COVID-19, the report says.
In 2016, while living in Russia, A allegedly received work from Trickbot through a job search site and developed a web browser for the group, according to the news outlet. The recruiters favored candidates who did not ask too many questions, according to a report by The Record.
The 20th Criminal Division of the Seoul High Court held an interrogation for the extradition request case against the Russian man on Sept. 1, according to the Korean newspaper report.
The report says that the prosecutors asked the court to extradite A to the United States, but his attorney said that would make it very difficult for his client to exercise his right of defense and that he likely would be subjected to excessive punishment.
In A's final statement, according to the news outlet, he said, "When developing the software, the operation manual did not fall under malicious software."
Trickbot first appeared as a banking Trojan in 2016, but it evolved into a botnet that could deliver other malicious code, such as ransomware. Before the Microsoft takedown in October 2020, the botnet was closely associated with Ryuk ransomware.
The Russian arrived in Seoul in February 2020 and was prevented from leaving after Seoul officials canceled international travel at the onset of the COVID-19 pandemic, the news report says.
It also says that by the time international travel resumed, the validity of A's passport had expired, so he stayed in Korea for over a year to get his passport re-issued through the Russian embassy.
While he was awaiting his passport replacement, however, U.S. federal agencies and other security firms started an official investigation and takedown of the Trickbot malware gang that had used its botnet to facilitate ransomware attacks across the U.S. throughout 2020.
The Trickbot takedown was positioned by Microsoft and others as a defensive measure designed, in part, to help protect the November 2020 election from cyberattack.
In October 2020, Microsoft led a coalition of security researchers and U.S. federal agencies in an effort to disrupt Trickbot's operations and dismantle its infrastructure. Although the effort was initially successful at taking down the botnet, analysts warned that its operators would likely rebuild its malicious network (see: Trickbot Rebounds After 'Takedown').
Just a month after Microsoft and others announced the October 2020 Trickbot takedown, security firms had already begun noticing signs of life associated with the botnet. Security firm Bitdefender, for example, published a report that found Trickbot had rolled out an updated version of the botnet that made the malware more difficult to kill (see: Emotet, Ryuk, Trickbot: 'Loader-Ransomware-Banker Trifecta').
Then on Jan. 29 this year, a report by Menlo Security found that Trickbot was still active and was targeting insurance companies and legal firms in North America (see: Is Trickbot Botnet Making a Comeback?).
In June, the U.S. Justice Department said that a 55-year-old Latvian woman, Alla Witte, had been charged with helping to develop code for the Trickbot gang and with stealing banking credentials from victims around the world and helping to distribute ransomware through the botnet the group created (see: US Prosecutors Charge Latvian Woman in Trickbot Gang Case).
Witte allegedly worked as a malware developer for the group and wrote code related to the control and deployment of ransomware and payments of ransoms, according to federal prosecutors. The federal case against Witte was one of the first to target an alleged member of the Trickbot group.