Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.



08:50 AM
Larry Loeb
Larry Loeb
Larry Loeb

Evidence Found of Malware Families Collaborating

IBM's X-Force has found that intertwined relationships exist between the Trickbot, Gozi, Ramnit and IcedID malware families – and that spells trouble.

Trojans that target banks have one of the longest-lasting and profitable cybercrime operations around.

But Limor Kessem, global executive security advisor at IBM Security, has written a blog post that shines a light on one of the most underappreciated aspects of these efforts. IBM's X-Force has found that intertwined relationships exist between the Trickbot, Gozi, Ramnit and IcedID malware families, including measures the gangs employ to avoid stepping on each other's turf. Indeed, the various malwares are seemingly being used in tandem.

The post muses that, "the banking Trojan arena is dominated by groups from the same part of the world and by people who know each other and collaborate to continue orchestrating high volume wire fraud." X-Force found that the Trickbot, Gozi, Ramnit, IcedID and Zeus Panda families of bank Trojans each had about 12% of the overall action in 2018 that could be attributed to them.

Trickbot had a slightly higher piece of the pie (13%) and targets banks across the globe with URL-heavy configurations. This Trojan focuses on business banking and high-value accounts that are held with private banking and wealth management firms, but it will also go after e-commerce and cryptocurrency exchanges.

Kessem points out that in 2018 X-Force found strong collaboration evidenced between TrickBot and another banking Trojan, IcedID. About eight months into IcedID's existence (it was first found in November 2017), signs of a link between the two became apparent. IcedID was now being dropped by TrickBot. Before this, it was mainly dropped by the Emotet Trojan.

There were also other indicators of collaboration. In August 2018, IcedID was upgraded to resemble how TrickBot was being deployed. This new stealthy and modular approach made IcedID more like TrickBot in how it operated.

As Kessem put it, "The binary file was modified to become smaller and no longer featured embedded modules. The malware's plugins were being fetched and loaded on demand after the Trojan was installed on infected devices."

In another TrickBot similarity, IcedID began to encrypt its binary file content by obfuscating file names associated with its deployment on the endpoint.

The two Trojans may have actually had their cooperation rooted in the past. It's known that the Neverquest (also known as Catch or Vawtrak) Trojan used to collaborate with the Dyre group to deliver Dyre to devices already infected with Neverquest.

Even though the original Trojan operator gangs were disbanded years ago, the relationships that were established then may have endured. There are other collaborations about. In Japan, the Gozi Trojan is said by X-Force to collaborate with operators of the URLZone Trojan. URLZone used to be known to only target banks in Europe. It has started collaborating with Gozi by helping it into target devices and then allowing Gozi to do the data stealing and other bank fraud functions.

While previous years saw gangs operate as adversaries, occupying different turfs, or even attack one another's malware, X-Force in 2018 connected the major cybercrime gangs together in collaboration. Such a joining of forces can only spell trouble for Trojan targets.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-11-27
janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
PUBLISHED: 2021-11-26
This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via C...
PUBLISHED: 2021-11-26
@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious...
PUBLISHED: 2021-11-26
Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other se...
PUBLISHED: 2021-11-26
There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability that needs to be add...