Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.



08:50 AM
Larry Loeb
Larry Loeb
Larry Loeb

Evidence Found of Malware Families Collaborating

IBM's X-Force has found that intertwined relationships exist between the Trickbot, Gozi, Ramnit and IcedID malware families – and that spells trouble.

Trojans that target banks have one of the longest-lasting and profitable cybercrime operations around.

But Limor Kessem, global executive security advisor at IBM Security, has written a blog post that shines a light on one of the most underappreciated aspects of these efforts. IBM's X-Force has found that intertwined relationships exist between the Trickbot, Gozi, Ramnit and IcedID malware families, including measures the gangs employ to avoid stepping on each other's turf. Indeed, the various malwares are seemingly being used in tandem.

The post muses that, "the banking Trojan arena is dominated by groups from the same part of the world and by people who know each other and collaborate to continue orchestrating high volume wire fraud." X-Force found that the Trickbot, Gozi, Ramnit, IcedID and Zeus Panda families of bank Trojans each had about 12% of the overall action in 2018 that could be attributed to them.

Trickbot had a slightly higher piece of the pie (13%) and targets banks across the globe with URL-heavy configurations. This Trojan focuses on business banking and high-value accounts that are held with private banking and wealth management firms, but it will also go after e-commerce and cryptocurrency exchanges.

Kessem points out that in 2018 X-Force found strong collaboration evidenced between TrickBot and another banking Trojan, IcedID. About eight months into IcedID's existence (it was first found in November 2017), signs of a link between the two became apparent. IcedID was now being dropped by TrickBot. Before this, it was mainly dropped by the Emotet Trojan.

There were also other indicators of collaboration. In August 2018, IcedID was upgraded to resemble how TrickBot was being deployed. This new stealthy and modular approach made IcedID more like TrickBot in how it operated.

As Kessem put it, "The binary file was modified to become smaller and no longer featured embedded modules. The malware's plugins were being fetched and loaded on demand after the Trojan was installed on infected devices."

In another TrickBot similarity, IcedID began to encrypt its binary file content by obfuscating file names associated with its deployment on the endpoint.

The two Trojans may have actually had their cooperation rooted in the past. It's known that the Neverquest (also known as Catch or Vawtrak) Trojan used to collaborate with the Dyre group to deliver Dyre to devices already infected with Neverquest.

Even though the original Trojan operator gangs were disbanded years ago, the relationships that were established then may have endured. There are other collaborations about. In Japan, the Gozi Trojan is said by X-Force to collaborate with operators of the URLZone Trojan. URLZone used to be known to only target banks in Europe. It has started collaborating with Gozi by helping it into target devices and then allowing Gozi to do the data stealing and other bank fraud functions.

While previous years saw gangs operate as adversaries, occupying different turfs, or even attack one another's malware, X-Force in 2018 connected the major cybercrime gangs together in collaboration. Such a joining of forces can only spell trouble for Trojan targets.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
A Patriotic Solution to the Cybersecurity Skills Shortage
Adam Benson, Senior VP, Vrge Strategies,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-10
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
PUBLISHED: 2020-08-10
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
PUBLISHED: 2020-08-10
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
PUBLISHED: 2020-08-10
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
PUBLISHED: 2020-08-10
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.