The botnet operators behind IcedID and Trickbot are collaborating with each other and possibly sharing their ill-gotten gains, according to security researchers.
In a blog post, researchers at Flashpoint said that recently examined samples indicated that computers infected with IcedID are also downloading Trickbot, a prolific piece of malware considered to be the successor to the Dyre banking Trojan.
According to Flashpoint's research director Vitali Kremez, the company assessed with “high confidence that a head of operations likely oversees a complex network of actors who likely know each other only by aliases even after years of working together”.
“Linguistic analysis and an investigation into TrickBot and IcedID botnet operations reveals that the campaign involving a botnet belongs to a small group that commissions or buys the banking malware, manages the flow of infections, makes payments to the project's affiliates (traffic herders, webmasters, mule handlers), and receives the laundered proceeds,” he said.
He added that each segment of the ecosystem, the so-called affiliates, are specialists within their respective domains. While they are delivering value to the botnet owner, they act independently, employing their own closed networks to accomplish assigned tasks.
“The organisational complexity of these projects, along with the stringent security practices exercised by everyone throughout the supply chain, poses a significant challenge to investigations,” said Kremez.
The TrickBot and IcedID collaboration gives this pairing significant capabilities.
“First, the attacks are complex; while the malwares' main capabilities is the use of token grabbers, redirection attacks, and webinjects to steal banking credentials, there are other modules at the operators' disposal that allow them to have deep coverage of a victim's machine and expand the breadth and scope of an attack, thereby allowing them to derive additional potential sources of profit from a successful compromise,” said Kremez.
He added that the key to this complete coverage is the ability to carry out account checking, or credential stuffing to determine the value of a victim's machine and their access.
“Attackers can leverage higher value targets for network penetration, for example, while attackers can use other compromised targets for cryptocurrency mining,” he said.
The IcedID malware was first discovered in November 2017; IBM's X-Force research team published a report claiming to have spotted this new banking malware spreading via massive spam campaigns.
Craig Parkin, associate partner at Citihub Consulting, told SC Media UK that banking trojans haven't been as prolific as they were in the past as cyber-criminals are believed to have been using newer ways to make money through cryptomining attacks and ransomware instead.
“In addition, today's browsers are much more secure than they were making it harder for cyber-criminals to produce successful banking trojans. It's not surprising that these teams are now teaming up given the increasing difficulty to monetise their efforts,” he said.
“To protect themselves organisations should focus on how these Trojans are typically delivered via phishing and direct downloads where they are hidden within seemingly safe software found on the internet. A good phishing email awareness campaign and application whitelisting goes a long way to protect organisations against these trojans in the first place.”
Nathan Gilks, solutions director at Deep Secure, told SC Media UK that as sinister as this collaborative development is, the IcedID malware is being sent as spam. “That means that it will likely be concealed in a whole host of ways inside seemingly innocuous business correspondence, eg as attachments to the spam message,” he said. “A good anti-spam defence will reduce the risk of infection but cannot eliminate it.”