Trickbot and IcedID Botnet Operators Collaborate to Increase Impact

Different banking malware operations previously competed for victims, often seeking out and uninstalling one another upon compromising machines; for example, the SpyEye malware would uninstall Zeus upon infection. Now, in what may indicate a shift toward more collaboration among cybercrime groups, the operators of the IcedID and TrickBot banking Trojans appear to have partnered and are likely sharing profits, based on operation details.

The clincher came when analysts at Flashpoint recently examined samples that indicate computers infected with IcedID are also downloading Trickbot, a prolific piece of malware considered to be the successor to the Dyre banking Trojan.

Researchers first spotted IcedID in November 2017; IBM’s X-Force research team published a report claiming to have spotted this new banking malware spreading via massive spam campaigns. Compromised computers were first infected with the Emotet downloader, which then grabbed IcedID from the attacker’s domain; the Russian-speaking cybercriminals behind Emotet are believed to be comprised of some of the operators of the Dridex banking Trojan. IcedID is able to maintain persistence on infected machines, and it has targeted companies mainly in the financial services, retail, and technology sectors.

It appears that attackers now send IcedID directly as spam, and that piece of malware acts as a downloader that installs TrickBot, which in turn installs other modules on victims’ machines.

While it is typically unusual to find two different malware families infecting the same machine, Flashpoint analysts have determined through source intelligence with knowledge of both parties’ operations that there are indications of extensive collaboration between these two fraud operators. Human fraudsters are central to this cybercrime model; the TrickBot operators, for example, leverage automated attacks and knowledgeable fraud operators who review compromised data from victims’ machines and can carry out real-time account takeover (ATO) operations.

Trickbot and IcedID Fraud Master Collaboration: Monetization Funnel

Even the most sophisticated cybercriminal organization cannot reap financial rewards without the human resources required to cash out victims’ bank accounts. Cybercriminals’ ability to profit from the products and services involved in financial fraud rests on the availability of fraud masters, money mules, and related services.

The TrickBot and IcedID collaboration gives this pairing significant capabilities. First, the attacks are complex; while the malware’s main capabilities are its use of token grabbers, redirection attacks, and webinjects to steal banking credentials, there are other modules at the operators’ disposal that allow them to have deep coverage of a victim’s machine and expand the breadth and scope of an attack, thereby allowing them to derive additional potential sources of profit from a successful compromise.

Key to this complete coverage is the ability to carry out account checking, or credential stuffing, in order to determine the value of a victim’s machine and their access. Attackers can leverage higher value targets for network penetration, for example, while attackers can use other compromised targets for cryptocurrency mining.

IcedID has been in the wild since April 2017 and was originally known as BokBot; this malware is exclusively a threat to Windows. Emotet was associated with this malware, and operators used it mainly as a loader and to maintain persistence in order to install and execute additional malware, including a virtual network computing (VNC) module for remote management and an antimalware bypass module. IcedID creates proxies that are used to steal credentials for a host of websites that are mainly in financial services, though some sites also correspond to the retail and technology sector. The local proxy intercepts traffic and uses a webinject that steals login data from the victim.

TrickBot targets victims in a wide swathe of industries by leveraging multiple modules, including leaked exploits, and targets victims for various malicious activities, such as cryptocurrency mining and ATO operations.

Central Command

Linguistic analysis and an investigation into TrickBot and IcedID botnet operations reveals that the campaign involving a botnet belongs to a small group that commissions or buys the banking malware, manages the flow of infections, makes payments to the project’s affiliates (traffic herders, webmasters, mule handlers), and receives the laundered proceeds. Flashpoint assesses with high confidence that a head of operations likely oversees a complex network of actors who likely know each other only by aliases even after years of working together. Each segment of the ecosystem, the so-called affiliates, are specialists within their respective domains. While they are delivering value to the botnet owner, they act independently, employing their own closed networks to accomplish assigned tasks. The organizational complexity of these projects, along with the stringent security practices exercised by everyone throughout the supply chain, poses a significant challenge to investigations.

Role of Botmaster in Cybercrime Operations

The responsibility to monitor the botnet, or the sum total of all victims’ online activities, falls on the TrickBot and IcedID botmaster. A bot’s activity is recorded in the command-and-control (C2) database according to the parameters specified in the control panel’s preferences. The botmaster also accepts XMPP or Jabber notifications via the “jabber_on” field in the backend when the victims log in to the banking page of interest. The botmaster then provides a message for the fraud masters once the login is recorded. The message reads, “Try to log in with: Login <login> AND passcode: <password> at this url: <bank_login_url.”

The botmaster may elect to receive notifications when a victim accesses only certain online banking applications. If, for example, the project is built around European or US financial institutions (possibly because that is where the syndicate’s money laundering capabilities are focused), they would receive Jabber notifications based on their geographical cash out preference.

The botmaster decodes the logs and parses them for the needed content. Exported logs may contain tens of millions of lines of data, so a botmaster will likely employ a parsing application to extract the relevant data. Advanced banking Trojans such as Citadel have a built-in log parser. Once information consisting of the victim’s login credentials, answers to the secret questions, and email address is extracted from the logs, it is passed on to an affiliate who manages real-world operations.

Geographical disparity presents an obstacle in monetizing access, though this issue is typically solved through the use of money mule (or drop) services. Mules open bank accounts in the geographic location of the victim and at the same financial institution. They receive fraudulent account clearing house (ACH) and wire transfers into their account and forward the proceeds to the botnet owner or the intermediary. Higher up the chain, mule handlers direct mule recruiting and money laundering activities at a range of locations and financial institutions; many mule handlers advertise their services on the cybercrime forums.

Based on the close collaboration between TrickBot and IcedID operators and their shared backend infrastructure, it is likely that the operators will likely continue to closely collaborate on cashing out stolen accounts.

Such collaboration may also signal that fraud masters and malware developers are continuing to foster collaborative fraud operations targeting corporations in an attempt to bypass the latest anti-fraud measures.

Attachments and Downloads

To download the Indicators of Compromise (IOCs) for TrickBot and IcedID, click here.

To download the Snort rule, click here.

Block has been deleted or is unavailable.