The operators of the “IcedID” and “TrickBot” banking Trojans have teamed up and are likely sharing profits, Flashpoint reported today, warning collaboration may be replacing competition among malware families.
The New York-based business risk intelligence company said it had determined through “open source intelligence with knowledge of both parties’ operations” that the two fraud operators were collaborating across a highly security-conscious network.
The attackers now send IcedID directly as spam, and the malware acts as a downloader that installs TrickBot, which in turn installs other modules on victims’ machines.
Research Director Vitali Kremez said: “Flashpoint assesses with high confidence that a head of operations likely oversees a complex network of actors who likely know each other only by aliases even after years of working together”.
Linguistic analysis and an investigation into the trojans’ botnet operations also revealed that the campaign belongs to a small, group that commissions or buys the banking malware, manages the flow of infections, makes payments to the project’s affiliates (traffic herders, webmasters, mule handlers), and receives the laundered proceeds.
He added: “Each segment of the ecosystem, the so-called affiliates, are specialists within their respective domains. While they are delivering value to the botnet owner, they act independently, employing their own closed networks to accomplish assigned tasks. The organisational complexity of these projects, along with the stringent security practices exercised by everyone throughout the supply chain, poses a significant challenge to investigations.”
“Collaboration Gives Significant Capabilities”
Flashpoint said: “The TrickBot and IcedID collaboration gives this pairing significant capabilities. First, the attacks are complex; while the malwares’ main capabilities is the use of token grabbers, redirection attacks, and webinjects to steal banking credentials, there are other modules at the operators’ disposal that allow them to have deep coverage of a victim’s machine and expand the breadth and scope of an attack, thereby allowing them to derive additional potential sources of profit from a successful compromise”.
Kremez added: “Key to this complete coverage is the ability to carry out account checking, or credential stuffing, in order to determine the value of a victim’s machine and their access. Attackers can leverage higher value targets for network penetration, for example, while attackers can use other compromised targets for cryptocurrency mining.”
Researchers first spotted IcedID in November 2017, with IBM’s X-Force research team publishing a report that identified the banking malware spreading via massive spam campaigns. Compromised computers were first infected with the “Emotet” downloader, which then grabbed IcedID from the attacker’s domain.
X-Force’s November 2017 analysis of IcedID’s delivery method suggests that its operators are cybercrime veterans who were then opting to infect users via the Emotet Trojan.
IBM’s researchers noted at the time: “Aside from the more common Trojan features, IcedID can propagate over a network. It monitors the victim’s online activity by setting up a local proxy for traffic tunneling, which is a concept reminiscent of the GootKit Trojan. Its attack tactics include both webinjection attacks and sophisticated redirection attacks similar to the scheme used by Dridex and TrickBot.”
The Trojan requires a reboot to complete full deployment, possibly to evade sandboxes that do not emulate rebooting and communicates via secure sockets layer (SSL) to add a layer of security to the communications and to bypass automated scans by intrusion detection systems.
Geographical Differences Make Monetisation a Challenge but…
The responsibility to monitor the botnet, or the sum total of all victims’ online activities, falls on the TrickBot and IcedID botmaster.
A bot’s activity is recorded in the command-and-control (C2) database according to the parameters specified in the control panel’s preferences. The botmaster also accepts XMPP or Jabber notifications via the “jabber_on” field in the backend when the victims log in to the banking page of interest. The botmaster then provides a message for the fraud masters once the login is recorded. The message reads, “Try to log in with: Login <login> AND passcode: <password> at this url: <bank_login_url.”
The botmaster decodes the logs and parses them for the needed content. Once information consisting of the victim’s login credentials, answers to the secret questions, and email address is extracted from the logs, it is passed on to an affiliate who manages “real world” operations.
“Geographical disparity presents an obstacle in monetizing access, though this issue is typically solved through the use of money mule (or drop) services. Mules open bank accounts in the geographic location of the victim and at the same financial institution. They receive fraudulent account clearing house (ACH) and wire transfers into their account and forward the proceeds to the botnet owner or the intermediary. Higher up the chain, mule handlers direct mule recruiting and money laundering activities at a range of locations and financial institutions; many mule handlers advertise their services on the cybercrime forums”, the company concluded.