The botnet operators behind two infamous banking trojans have banded together to gouge victims of cash in a tricky collaborative scheme.
Flashpoint analysts, who highlighted the collaboration in a Wednesday report, said that the operators behind the IcedID and TrickBot trojans appear to be targeting banking victims in a dual threat — and sharing the profit.
Hidden Cobra Strikes Again with Custom RAT, SMB Malware
Brazilian Banking Trojan Communicates Via Microsoft SQL Server
TeleGrab Malware Steals Telegram Desktop Messaging Sessions, Steam Credentials
Researchers first discovered the collaboration while studying the IcedID malware – they quickly realized that computers infected with IcedID were also downloading the other piece of malware, Trickbot.
“Why would IcedID, which is commercial banking malware, download another commercial banking malware from the same ecosystem? We decided to look into it; we found it unusual because groups compete for a limited number of victims,” Vitali Kremez, director of research at Flashpoint, told Threatpost.”While looking at that, we realized that IcedID and Trickbot were working together – not necessarily from the malware development side, but from the operations side.”
Malware strains typically butt heads over victims’ data, particularly in a hyper-competitive market like banking; for example, the SpyEye malware has been seen to uninstall the similar Zeus trojan upon infecting machines, Kremez said.
Trickbot has made its mark as a trojan responsible for man-in-the-browser attacks since mid-2016. The malware has targeted financial institutions, and is a successor to the Dyre banking Trojan, sharing many of the same attributes. The trojan leverages multiple modules, including leaked exploits, and targets victims for various malicious activities, such as cryptocurrency mining and ATO operations.
The IcedID Trojan meanwhile was spotted in 2017 by researchers at IBM’s X-Force Research team. They said the trojan has several standout techniques and procedures; most notably for this situation the ability to create proxies that are used to steal credentials for a host of websites (mainly in financial services). The local proxy intercepts traffic and uses a web inject that steals login data from the victim.
Kremez said it appears that IcedID is sent directly as spam via email, and the piece of malware then acts as a downloader that installs TrickBot, which in turn installs other modules on victims’ machines.
The two combined forces use an array of methods and tools to then steal banking credentials from the victims, including token grabbers, redirection attacks and web injects.
“The attacks are complex…there are other modules at the operators’ disposal that allow them to have deep coverage of a victim’s machine and expand the breadth and scope of an attack, thereby allowing them to derive additional potential sources of profit from a successful compromise,” according to Flashpoint.
The double-edged threat is not only bringing a new force of tools to the table; from an operations standpoint, the collaboration pulls in an extended network of fraud operators who can carry efficient account takeover operations. “One of the main things behind the Trickbot-IcedID collaboration are the human operators behind this,” said Kremez.
Complex Collaboration
Flashpoint said it “assesses with high confidence” that a head of operations likely oversees a complex network of fraudsters who connect back to machines infected by the two trojans. This head is the botmaster, who operates the command and control of botnets for remote process execution.
Meanwhile, the bad actors who make up the extensive network likely know each other only by aliases and are specialists within their respective domains, Kremez told Threatpost.
“Linguistic analysis and an investigation into TrickBot and IcedID botnet operations reveals that the campaign involving a botnet belongs to a small group that commissions or buys the banking malware, manages the flow of infections, makes payments to the project’s affiliates (traffic herders, webmasters, mule handlers), and receives the laundered proceeds,” Flashpoint said in the report.
Essentially,when the victims log in to the banking page of interest on an infected system, the botmaster accepts XMPP or Jabber notifications via the “jabber_on” field in the backend.
The combined malware operation also has the ability to carry out account checking (or credential stuffing), which determines the value of a victim’s machine and their access — so the bad actors can leverage higher-value targets for network penetration and use other compromised targets for things like cryptocurrency mining.
The botmaster then is able to extract information consisting of the victim’s login credentials, answers to the secret questions and email address from the logs, and then passes that information to an affiliate who manages real-world operations.
Meanwhile, mules use that information to open bank accounts in the geographic location of the victim and at the same financial institution. They in turn receive fraudulent account clearing house (ACH) and wire transfers into their account and then forward the proceeds to the botnet owner or an intermediary.
“Based on the close collaboration between TrickBot and IcedID operators and their shared backend infrastructure, it is likely that the operators will continue to closely collaborate on cashing out stolen accounts,” Flashpoint noted. Additional details about the breadth of attacks and the amount of money stolen at this point are unknown.
Kremez said he expects more botnet operators to begin a similar collaboration scheme in the future: “This is only the beginning,” he said. “It’s getting harder and harder to commit fraud when it comes to banking… and I think this is where the collaboration will really start to come in.”