Evidence Found of Malware Families Collaborating

IBM's X-Force has found that intertwined relationships exist between the Trickbot, Gozi, Ramnit and IcedID malware families – and that spells trouble.

Trojans that target banks have one of the longest-lasting and profitable cybercrime operations around.

But Limor Kessem, global executive security advisor at IBM Security, has written a blog post that shines a light on one of the most underappreciated aspects of these efforts. IBM's X-Force has found that intertwined relationships exist between the Trickbot, Gozi, Ramnit and IcedID malware families, including measures the gangs employ to avoid stepping on each other's turf. Indeed, the various malwares are seemingly being used in tandem.

The post muses that, "the banking Trojan arena is dominated by groups from the same part of the world and by people who know each other and collaborate to continue orchestrating high volume wire fraud." X-Force found that the Trickbot, Gozi, Ramnit, IcedID and Zeus Panda families of bank Trojans each had about 12% of the overall action in 2018 that could be attributed to them.

Trickbot had a slightly higher piece of the pie (13%) and targets banks across the globe with URL-heavy configurations. This Trojan focuses on business banking and high-value accounts that are held with private banking and wealth management firms, but it will also go after e-commerce and cryptocurrency exchanges.

Kessem points out that in 2018 X-Force found strong collaboration evidenced between TrickBot and another banking Trojan, IcedID. About eight months into IcedID's existence (it was first found in November 2017), signs of a link between the two became apparent. IcedID was now being dropped by TrickBot. Before this, it was mainly dropped by the Emotet Trojan.

There were also other indicators of collaboration. In August 2018, IcedID was upgraded to resemble how TrickBot was being deployed. This new stealthy and modular approach made IcedID more like TrickBot in how it operated.

As Kessem put it, "The binary file was modified to become smaller and no longer featured embedded modules. The malware's plugins were being fetched and loaded on demand after the Trojan was installed on infected devices."

In another TrickBot similarity, IcedID began to encrypt its binary file content by obfuscating file names associated with its deployment on the endpoint.

The two Trojans may have actually had their cooperation rooted in the past. It's known that the Neverquest (also known as Catch or Vawtrak) Trojan used to collaborate with the Dyre group to deliver Dyre to devices already infected with Neverquest.

Even though the original Trojan operator gangs were disbanded years ago, the relationships that were established then may have endured. There are other collaborations about. In Japan, the Gozi Trojan is said by X-Force to collaborate with operators of the URLZone Trojan. URLZone used to be known to only target banks in Europe. It has started collaborating with Gozi by helping it into target devices and then allowing Gozi to do the data stealing and other bank fraud functions.

While previous years saw gangs operate as adversaries, occupying different turfs, or even attack one another's malware, X-Force in 2018 connected the major cybercrime gangs together in collaboration. Such a joining of forces can only spell trouble for Trojan targets.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.