In one of the more disturbing turns of cybercrime, two nefarious and successful botnet operators are now collaborating in their attacks on banks and other financial institutions. Threatpost reports that the operators behind IcedID and TrickBot are working together and sharing profits.
This is interesting and disconcerting for a number of reasons:
- Collaboration gives both groups more human power to work with, which likely means greater success for account takeovers.
- The operation reveals an evolution in the cybercrime economy. Threat actors are looking for ways to cooperate with each other rather than compete for victims.
- Collaboration allows the criminals to have additional and more sophisticated attack resources that allow them to expand the severity of the attack.
In short, the whole of this collaboration is greater than the sum of its parts.
What is IcedID?
IcedID is a banking trojan that was discovered in the wild last year. Similar to VPNFilter, this malware is modular and can download specific plugins to customize the attack. It is capable of self-propagating through a network and seems to be designed to servers and endpoints. It also leverages LDAP queries to find network users. When first discovered, it was being distributed by the infection service Emotet. IcedID is delivered directly as spam.
What is TrickBot?
Malwarebytes published their first analysis of TrickBot in 2016. It was unknown at the time, and they were able to determine that it was a bot with similar features and solutions to Dyreza. Development on TrickBot continued and in 2017 there were new modules and capabilities reported by Malwarebytes here and the Security Art Work report here (pdf). In this collaborative attack, TrickBot is downloaded after a successful IcedID spam attack. Once TrickBot is activated it will download more malware based on the attack configuration.
The key to maximizing the profit from this crime partnership is coordination of the botmasters and their effectiveness in managing the collaboration. Flashpoint describes the botmaster role in detail here. A typical botmaster will monitor activity, parse the collected data, and then hand the relevant data off to other group members who will use it to attempt account takeovers and other attacks.
The human piece of this collaboration is what makes it so powerful. With more people, more attention can be paid to attack customization. Some targets are more valuable for network penetration, while others will provide more profit through cryptocurrency mining. This is all up to the actors behind the botnet.
The importance of email protection cannot be overstated. Email remains the number one threat vector, and successful defense requires multiple layers of security. Barracuda offers a full suite of email protection including Barracuda Sentinel which provides advanced protection from phishing and social engineering.
Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. In this role, she helps bring Barracuda stories to life and facilitate communication between the public and Barracuda internal teams. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.