IcedId and Trickbot trojan operators join forces.
The operators behind the IcedID and TrickBot trojans are targeting banking victims in a dual threat and sharing the profit. Researchers discovered the collaboration while studying the IcedID malware. They realized that computers infected with IcedID were also downloading the other piece of malware, Trickbot.
Why would IcedID, a commercial banking malware, download another commercial banking malware from the same ecosystem? Researchers look into it because groups compete for a limited number of victims and found this to be unusual. While looking at that, researchers realized that IcedID and Trickbot were working together in the operations side. Malware typically trip over each other over victims' data,especially in a hyper-competitive market like banking. The SpyEye malware has been seen to uninstall the similar Zeus trojan upon infecting machines.
Trickbot made its mark as the trojan responsible for man in the browser attacks since mid-2016. The malware has targeted financial institutions, and is a successor to the Dyre banking Trojan, sharing many of the same attributes. The trojan uses multiple modules, including leaked exploits, and targets victims for various malicious activities, such as cryptocurrency mining and ATO operations. The IcedID Trojan meanwhile, was reported in 2017 by researchers at IBM's X-Force Research team. They said the trojan has several standout techniques and procedures; notably for the ability to create proxies that are used to steal credentials for a host of websites. The local proxy intercepts traffic and uses a web inject that steals login data from the victim.
It appears that IcedID is sent as spam via email, and the piece of malware then acts as a downloader that installs TrickBot, which in turn installs other modules on victims' machines. The two combined efforts use various methods and tools to steal banking credentials from the victims, including token grabbers, redirection attacks and web injects. The attacks are complex, there are other modules at the operators' disposal that allow them to have deep access to a victim's machine and expand the scope of a hack. The double teamed threat pulls in an extended network of fraud operators who can carry efficient account takeover operations. One of the main things behind the Trickbot-IcedID collaboration are the human operators behind it.
Linguistic analysis and an investigation into TrickBot and IcedID botnet operations reveals that the hacks involving a botnet belongs to a small group that commissions or buys the banking malware, manages the flow of infections, makes payments to the project's affiliates, and receives the laundered proceeds. When the victims log in to the banking page of interest on an infected system, the botmaster accepts XMPP or Jabber notifications via the jabber_on field in the backend. The combined malware operation also has the ability to carry out account checking, which determines the value of a victim's machine and their access to leverage higher-value targets for network penetration and use other infected targets for things like cryptocurrency mining. The botmaster is able to extract information including the victim's login credentials, answers to the secret questions and email address from the logs, and then passes that information to an affiliate who manages real-world operations.
In the real world, mules use the stolen information to open bank accounts in the vicinity of the victim and at the same financial institution. They receive fraudulent account clearing house and wire transfers into their account and then forward the proceeds to the botnet owner or an intermediary. Based on the close collaboration between TrickBot and IcedID operators and their shared backend infrastructure, the operators will continue to closely collaborate on cashing out stolen accounts. Researchers expect more botnet operators to begin a similar collaboration efforts in the future. It is getting harder and harder to commit banking fraud and researchers think that this is where the collaboration will really start to come in.