skip to Main Content

Cybercrime groups are partnering to distribute banking malware

IBM X-Force : Cybercrime groups are partnering to distribute their banking malware, TrickBot Tarojan is cooperating with IcedID

Cybercrime groups are partnering to distribute their banking malware as Urnsif, Trickbot, Gozi, Ramnit, and IcedID. It has been discovered by IBM X-Force cyber security experts. According to the company’s blog, some of the trends in TrickBot’s activity in 2018 included collaboration with another banking Trojan, IcedID, as well as operating the Ryuk ransomware, a subset of TrickBot’s botnet monetization strategy. These highlight a larger trend of intergang collaboration among Trojan operators striving to generate larger profits in spite of growing security control sophistication. At first, the two malicious codes appeared unrelated. But about eight months into IcedID’s existence, signs of a link between the two became apparent. In May 2018, was observed TrickBot dropping IcedID, whereas it had previously been dropped primarily by the Emotet Trojan, the same distributor that also drops TrickBot in different campaigns.

The cyber security experts: How this malware cooperation started and evolved

By August 2018, IBM X-Force researchers noted that IcedID had been upgraded to behave in a similar way to the TrickBot Trojan in terms of its deployment. The binary file was modified to become smaller and no longer featured embedded modules. The malware’s plugins were being fetched and loaded on demand after the Trojan was installed on infected devices. These changes made IcedID stealthier, modular and more similar to TrickBot. In addition to its increased stealth level, IcedID also started encrypting its binary file content by obfuscating file names associated with its deployment on the endpoint. Also similar to TrickBot is IcedID’s event objects, which coordinate multiple threads of execution in Windows-based operating systems. IcedID began using named events to synchronize the execution between its core binary and the plugins selected for loading.

Ties between TrickBot and IcedID may have started years ago in a collaboration designed to help both cybercrime groups maximize their illicit operations and profits

According to the cyber security experts, although cybercrime malware authors do sometimes copy from one another, these modifications were not coincidental. Even if we only looked at the fact that TrickBot and IcedID fetch one another into infected devices, that would be indication enough that these Trojans are operated by teams that work together. Ties between TrickBot and IcedID may have started years ago in a collaboration designed to help both groups maximize their illicit operations and profits. During theactivity phase of the Neverquest (aka Catch or Vawtrak) Trojan, it collaborated with the Dyre group to deliver Dyre malware to devices already infected with Neverquest. The original Dyre group partly disbanded in late 2015, followed by the rise of TrickBot, which is believed to be its successor. Neverquest halted operations following the arrest of one of its key members in 2016, after which the IcedID Trojan appeared.

Back To Top