Cybercrime and Trickbot leaks: “We pay sick pay and 13th monthly salary”
Cybercrime goes business: A job interview in the cybercrime underground shows impressively how much organized crime has already “normalized”.
Earlier this year, strangers released internal information about the Trickbot gang that has received relatively little attention so far. The chat logs in particular provide an incomparable insight into the world of cybercrime. The security company Cyjax has combined them into a report that is really worth reading.
Trickbot has been a well-known figure in the cybercrime underground for many years, raking in millions in the shadow of Emotet, among other things. The report shows exciting details about the working methods and organization of the gang. One learns there, for example, that there are many special teams within the organization, such as the crypters, who exchange ideas in their own chat groups. The crypters only build tools with which malware can be disguised in such a way that it is no longer detected by antivirus and security software.
Many of the crypters have their own projects and discuss ideas and techniques among themselves on how to further improve them. The experienced colleagues give the newcomers tips such as the fact that it is often better to use simple methods because exotic things attract unnecessary attention.
The Birth of Malware
Normally, malware is only seen through the eyes of the researchers who dissect a finished copy. In the chats you can watch them as they arise. For example in the form of the technical specification of the new loader, which technology boss “silver” presents to the development team. It starts with the specification that the loader has to work with Windows 2003/XP or higher. An important part is that the network part has to be modular and completely interchangeable and that the execution of the malicious code can either be file-based or purely in memory (“fileless”).
But Trickbot doesn’t do everything itself. A chat also describes how the Trickbot crooks plan to approach an open source developer so that he can further develop his Tor chat client in the desired way and with higher priority.
Gang with management structure
The organization of the criminal gang differs little from conventional companies. Each group has its own team leader. Above them, management provides strategy and direction. “Silver” is responsible for technology and development, he apparently has the role of a CTO. His counterpart “Frances” is responsible for salaries and new hires, among other things – classic human resources. An anonymous boss sits enthroned above them, who doesn’t even make an appearance himself.
A highlight of the report is an interview for the post of future head of a new group for OSINT. The aim is to find out as much as possible about a company in the run-up to an operation. Trickbot manager Frances does not score points with a dream salary, but with the promise of regular, bi-weekly payments, sick pay and vacation. He also points out that there is a 13th month salary after the first year.
The Cyber Godfather
Incidentally, the candidate does not yet know Trickbot at this point in time. “Google it and you’ll understand,” Frances mysteriously explains to him. It really is high time Marlon Brando and Al Pacino found cyber successors. Anyone who would like to get an insight into how a professional cybercrime gang works should take a look at the 30-page PDF of Who is Trickbot from Cyjax.
By the way, it currently looks as if Trickbot has disbanded after several years. Management has gone completely into hiding; the team leaders were already passing on slogans of perseverance in March, in which there was talk of a “holiday” for a few months. Apparently they didn’t know for sure. However, it doesn’t look like the gang will simply be resurrected. It is more likely that they will seize the opportunity to reposition themselves.
