It wasn’t too long ago when different banking malware competed for victims, often seeking out and uninstalling one another upon compromising machines. Now, in what may indicate a shift toward more collaboration among cybercrime groups, the operators of the “IcedID” and “TrickBot” banking Trojans appear to have partnered and are likely sharing profits, based on operation details.
Flashpoint analysts recently examined samples that indicate computers infected with IcedID are also downloading TrickBot, a prolific piece of banking malware that analysts consider to be the successor to the “Dyre” banking malware.
Researchers first spotted IcedID in November 2017; IBM’s X-Force research team published a report claiming to have spotted spotted this new banking malware spreading via massive spam campaigns. Compromised computers were first infected with the “Emotet” downloader, which then grabbed IcedID from the attacker’s domain; the Russian-speaking cybercriminals behind Emotet are believed to be comprised of some of the operators of the “Dridex” banking Trojan. IcedID is able to maintain persistence on infected machines, and it has targeted companies mainly in the financial services, retail, and technology sectors.
It appears that attackers now send IcedID directly as spam, and that the malware acts as a downloader that installs TrickBot, which in turn installs other modules on victims’ machines.
While it is typically unusual to find two different malware families infecting the same machine, Flashpoint analysts have determined through source intelligence with knowledge of both parties’ operations that there are indications of extensive collaboration between these two fraud operators. Human fraudsters are central to this cybercrime model; the TrickBot operators, for example, leverage both automated attacks and knowledgeable fraud operators who review compromised data from victims’ machines and can carry out real-time account takeover (ATO) operations.
TRICKBOT AND ICEDID FRAUD MASTER COLLABORATION: MONETIZATION FUNNEL
Even the most sophisticated cybercriminal organisation cannot reap financial rewards without the human resources required to cash out victims’ bank accounts. Cybercriminals’ ability to profit from the products and services involved in financial fraud rests on the availability of fraud masters, money mules, and related services.
The TrickBot and IcedID collaboration gives this pairing significant capabilities. First, the attacks are complex; while the malwares’ main capabilities is the use of token grabbers, redirection attacks, and webinjects to steal banking credentials, there are other modules at the operators’ disposal that allow them to have deep coverage of a victim’s machine and expand the breadth and scope of an attack, thereby allowing them to derive additional potential sources of profit from a successful compromise.
Key to this complete coverage is the ability to carry out account checking, or credential stuffing, in order to determine the value of a victim’s machine and their access. Attackers can leverage higher value targets for network penetration, for example, while attackers can use other compromised targets for cryptocurrency mining.
IcedID has been in the wild since April 2017 and was originally known as “BokBot”; this malware is exclusively a threat to Windows. Emotet was associated with this malware, and operators used it mainly as a loader and to maintain persistence in order to install and execute additional malware, including a virtual network computing (VNC) module for remote management and an antimalware bypass module. IcedID creates proxies that are used to steal credentials for a host of websites that are mainly in financial services, though some sites also correspond to the retail and technology sector. The local proxy intercepts traffic and uses a webinject that steals login data from the victim.
TrickBot targets victims in a wide swathe of industries by leveraging multiple modules, including leaked exploits, and targets victims for various malicious activities, such as cryptocurrency mining and ATO operations.
CENTRAL COMMAND
Linguistic analysis and an investigation into TrickBot and IcedID botnet operations reveals that the campaign involving a botnet belongs to a small group that commissions or buys the banking malware, manages the flow of infections, makes payments to the project’s affiliates (traffic herders, webmasters, mule handlers), and receives the laundered proceeds. Flashpoint assesses with high confidence that a head of operations likely oversees a complex network of actors who likely know each other only by aliases even after years of working together. Each segment of the ecosystem, the so-called affiliates, are specialists within their respective domains. While they are delivering value to the botnet owner, they act independently, employing their own closed networks to accomplish assigned tasks. The organisational complexity of these projects, along with the stringent security practices exercised by everyone throughout the supply chain, poses a significant challenge to investigations.
ROLE OF BOTMASTER IN CYBERCRIME OPERATIONS
The responsibility to monitor the botnet, or the sum total of all victims’ online activities, falls on the TrickBot and IcedID botmaster. A bot’s activity is recorded in the command-and-control (C2) database according to the parameters specified in the control panel’s preferences. The botmaster also accepts XMPP or Jabber notifications via the “jabber_on” field in the backend when the victims log in to the banking page of interest. The botmaster then provides a message for the fraud masters once the login is recorded. The message reads, “Try to log in with: Login <login> AND passcode: <password> at this url: <bank_login_url.”
The botmaster may elect to receive notifications when a victim accesses only certain online banking applications. If, for example, the project is built around European or US financial institutions (possibly because that is where the syndicate’s money laundering capabilities are focused), they would receive Jabber notifications based on their geographical cash out preference.
The botmaster decodes the logs and parses them for the needed content. Exported logs may contain tens of millions of lines of data, so a botmaster will likely employ a parsing application to extract the relevant data. Advanced banking Trojans such as “Citadel” have a built-in log parser. Once information consisting of the victim’s login credentials, answers to the secret questions, and email address is extracted from the logs, it is passed on to an affiliate who manages “real world” operations.
Geographical disparity presents an obstacle in monetizing access, though this issue is typically solved through the use of money mule (or drop) services. Mules open bank accounts in the geographic location of the victim and at the same financial institution. They receive fraudulent account clearing house (ACH) and wire transfers into their account and forward the proceeds to the botnet owner or the intermediary. Higher up the chain, mule handlers direct mule recruiting and money laundering activities at a range of locations and financial institutions; many mule handlers advertise their services on the cybercrime forums.
ASSESSMENT
Based on the close collaboration between TrickBot and IcedID operators and their shared backend infrastructure, Flashpoint assesses with moderate confidence that the operators will likely continue to closely collaborate on cashing out stolen accounts.
Flashpoint also assesses with moderate confidence that this collaboration between TrickBot and IcedID operators may signal that fraud masters and malware developers are continuing to foster collaborative fraud operations targeting corporations in an attempt to bypass the latest anti-fraud detection measures.
