Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.



08:50 AM
Larry Loeb
Larry Loeb
Larry Loeb

Evidence Found of Malware Families Collaborating

IBM's X-Force has found that intertwined relationships exist between the Trickbot, Gozi, Ramnit and IcedID malware families – and that spells trouble.

Trojans that target banks have one of the longest-lasting and profitable cybercrime operations around.

But Limor Kessem, global executive security advisor at IBM Security, has written a blog post that shines a light on one of the most underappreciated aspects of these efforts. IBM's X-Force has found that intertwined relationships exist between the Trickbot, Gozi, Ramnit and IcedID malware families, including measures the gangs employ to avoid stepping on each other's turf. Indeed, the various malwares are seemingly being used in tandem.

The post muses that, "the banking Trojan arena is dominated by groups from the same part of the world and by people who know each other and collaborate to continue orchestrating high volume wire fraud." X-Force found that the Trickbot, Gozi, Ramnit, IcedID and Zeus Panda families of bank Trojans each had about 12% of the overall action in 2018 that could be attributed to them.

Trickbot had a slightly higher piece of the pie (13%) and targets banks across the globe with URL-heavy configurations. This Trojan focuses on business banking and high-value accounts that are held with private banking and wealth management firms, but it will also go after e-commerce and cryptocurrency exchanges.

Kessem points out that in 2018 X-Force found strong collaboration evidenced between TrickBot and another banking Trojan, IcedID. About eight months into IcedID's existence (it was first found in November 2017), signs of a link between the two became apparent. IcedID was now being dropped by TrickBot. Before this, it was mainly dropped by the Emotet Trojan.

There were also other indicators of collaboration. In August 2018, IcedID was upgraded to resemble how TrickBot was being deployed. This new stealthy and modular approach made IcedID more like TrickBot in how it operated.

As Kessem put it, "The binary file was modified to become smaller and no longer featured embedded modules. The malware's plugins were being fetched and loaded on demand after the Trojan was installed on infected devices."

In another TrickBot similarity, IcedID began to encrypt its binary file content by obfuscating file names associated with its deployment on the endpoint.

The two Trojans may have actually had their cooperation rooted in the past. It's known that the Neverquest (also known as Catch or Vawtrak) Trojan used to collaborate with the Dyre group to deliver Dyre to devices already infected with Neverquest.

Even though the original Trojan operator gangs were disbanded years ago, the relationships that were established then may have endured. There are other collaborations about. In Japan, the Gozi Trojan is said by X-Force to collaborate with operators of the URLZone Trojan. URLZone used to be known to only target banks in Europe. It has started collaborating with Gozi by helping it into target devices and then allowing Gozi to do the data stealing and other bank fraud functions.

While previous years saw gangs operate as adversaries, occupying different turfs, or even attack one another's malware, X-Force in 2018 connected the major cybercrime gangs together in collaboration. Such a joining of forces can only spell trouble for Trojan targets.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-12-04
An Ubuntu-specific patch in PulseAudio created a race condition where the snap policy module would fail to identify a client connection from a snap as coming from a snap if SCM_CREDENTIALS were missing, allowing the snap to connect to PulseAudio without proper confinement. This could be exploited by...
PUBLISHED: 2020-12-03
Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).
PUBLISHED: 2020-12-03
In the PrestaShop module "productcomments" before version 4.2.1, an attacker can use a Blind SQL injection to retrieve data or stop the MySQL service. The problem is fixed in 4.2.1 of the module.
PUBLISHED: 2020-12-03
HashiCorp go-slug before 0.5.0 does not address attempts at directory traversal involving ../ and symlinks.
PUBLISHED: 2020-12-03
An issue was discovered in the Linux kernel before 5.9.3. io_uring takes a non-refcounted reference to the files_struct of the process that submitted a request, causing execve() to incorrectly optimize unshare_fd(), aka CID-0f2122045b94.