IcedID and Trickbot malware trojans
News | 06/04/2018

IcedID and Trickbot Operators Join Hands To Share Profits!

About: IcedID and Trickbot operators have joined their backend operations to maximize victim base in order to increase their profits. IcedID and Trickbot malware trojans infect a system together and carry out different tasks to install modules which steal u...  Read More  

| News | IcedID and Trickbot Operators Join Hands To Share Profits!

IcedID and Trickbot Botnet Operators are collaborating at the backend to infect systems and share profits.


Collaboration to increase victim base.

IcedID and Trickbot are two banking malware trojans that have caused damage to banking systems. The botnet operators of these trojans seem to be collaborating together and sharing the profit.

It was discovered that some computer systems infected by the icedID trojan were also affected with the Trickbot trojan at same time. Analysts believe that this threat is an indicator of the shift in the behavior of botnet operators. In the future many botnet collaborations may happen following the precedent of the icedID and Trickbot trojan botnet operators.

Botnet operators working in collaboration is a unique advancement. In a setting, where each botnet operator vies for full and complete control over the limited amount of systems that can be infected, this collaboration can be seen as an anomaly of sorts.

Previously, it had been noticed that the SpyEye malware trojan uninstalled the Zeus trojan from the system after infiltration. Botnet operators do this to gain more control over the already overcrowded and hyper-competitive markets that include banking, financial services, retail and technology.

Infiltration protocol

The method of infiltration of the icedID trojan is through malware spam mails. The compromised system is first infected by the emotet trojan that acts as a downloader for the icedID trojan which is then downloaded from the botnet servers.

The icedID trojan has now been changed itself and acts as a downloader for the Trickbot banking trojan. IcedID malware has been known to target companies that deal in finance, retail and technology and maintain its persistence in the system. IcedID then downloads the Trickbot trojan in the system. Once the Trickbot trojan infects the system it then downloads other modules to infect the compromised systems. Trickbot is the successor of the Dyre banking trojan.

IcedID and Trickbot Botnet Collaboration

After this process is completed, the money mules, fraud masters and the botnet operators come into play. They are the ones that reap the money from the infected account by collecting the money in person from the banks.

Since there are two trojans infecting the system, namely icedID and Trickbot, their capabilities undergo a change. With the inclusion of various modules the victim’s computer can now be monitored for any additional sources in his/her network that can be compromised. The main function of these trojans is to use token grabbers, redirection attacks and to steal the banking credentials of the user through webinjects.

The botnet operators that run these banking trojans aim for full coverage of a victim’s data. They use credential stuffing and account checking to determine the value of a victim’s machine and their access. The targeted systems that are determined as low value targets are used for cryptomining for digital currency.

Previously in 2017 IcedID had mainly caused damage to several systems in the financial services. IcedID created proxies to steal user credentials. The created proxies then steal the login details of the victim by using webinjects. Trickbot targets multiple high profile industries with its primary focus on banking.

Command network and Ecosystem supply chain.

The botnet operators have created separate ecosystems, independently working of each other but working in a hierarchy. Each block in the chain specializes in their assigned tasks and knows the aliases and functionalities of others in the supply chain but still function independently. They have been doing this for years and have used various methods to evade capture and investigation. They use strict security measures to make sure that no leak occurs in the chain.

The botmaster of the IcedID and Trickbot malware monitors the online activities of all infected systems. The activity is recorded in the command and control database according to the specified parameters of the control panel in the botnet. Once the victim logs in on the banking page of interest, the botmaster is specified via notifications through XMPP and Jabber. All they need to do is enable the command ‘jabber_on’ in the backend. This login information is then provided to the fraud masters via a message from the botmaster which reads as “Try to log in with: Login <login> and passcode: <password> at this url: <bank_login_url>.”

These login details are then decoded and the relevant information is extracted from a very detailed login data. The information extracted is related to the victim’s user details, passwords, secret questions etc. This is passed onto the real world handlers of the money laundering fraud masters.

The message notifications can be customized by the botmaster according to the location of the infected servers. If the money laundering operation & the infected systems are located in the same place where a mule can go and collect the money from the bank, then the other infected system message notifications are filtered out. Notifications from places where a mule can’t be sent are ignored.

The mules open accounts in the same geographical locations and the same banks as the victims. They receive the fraudulent account clearing and wire transfers and forward the laundered money to the botnet owners or the intermediary handling them. Mule handlers direct the services of money laundering and mule recruiting for a number of financial institutions and various locations. Cybercrime forums even have ads that offer the services of mules for money laundering.

Since the IcedID and Trickbot malware botnet handlers have collaborated together for profit sharing by joining their backend operations. It can be derived that this collaboration can affect the overall shift in the behavior of the fraud masters and malware developers in the future. These collaborations are in response to the ever shrinking net of the investigative agencies. It is an attempt to evade capture.

Hits: 71

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Rajasthan 302033
Phone: +91 9799661866