loader gif

BokBot & TrickBot linked closely with each other, says report

BokBot & TrickBot linked closely with each other, says report
  • A new report by security firm CrowdStrike showed that the developers of these banking trojans were affiliated with each other.
  • BokBot’s creator LUNAR SPIDER was found to distribute TrickBot developed by WIZARD SPIDER group.

A new report has shown that notorious banking trojans Trickbot and BokBot (a.k.a. IcedID) are related to each other. Security firm CrowdStrike discovered that LUNAR SPIDER, creator of BokBot distributed WIZARD SPIDER’s custom variant TrickBot. A detailed analysis by the firm also showed that the creators of banking trojans sharing similar web resources.

CrowdStrike studied peculiar activity from BokBot on February 7. The findings showed that a BokBot executing a loader, also downloaded a separate TrickBot loader. When this TrickBot’s configuration file was analyzed, both trojans also had similar features.

“The primary function of the shareDll module in both cases is to attempt lateral movement within the victim’s network, to reach machines accessible by the currently logged-on user. In the BokBot distributed instance, once an accessible machine has been located, the modified spreader module will attempt to download the TrickBot loader located at http://185.68.93[.]30/sin.png or http://185.68.93[.]30/win.png and install TrickBot on the accessible network machine,” specified the report.

Module renaming technique

Furthermore, the custom Trickbot’s modules were delivered with renamed modules for separate instances. The functionality, however, remained the same with no encrypted strings as usual. Standard TrickBot exports such as Start, Control, and Release were also present.

CrowdStrike suggests that the module renaming may be a method to track activities of other associated modules in the trojans. With BokBot slowly carrying out the distribution of TrickBot, it comes as no surprise if future campaigns come with both Trojan deployments.

Possibility of planned malware change and closer ties

Another point noted by the researchers is about the historical relationship in the past between the developers and operators of the Dyre and Neverquest banking malware families. According to the researchers, "WIZARD SPIDER includes members that were a part of the same group that had developed and operated Dyre. LUNAR SPIDER includes members that were a part of the same group that had developed and operated Neverquest."

Both Dyre and Neverquest stopped operating in November 2015 and May 2017 respectively, despite being successful. Meanwhile, LUNAR SPIDER had introduced BokBot just before Neverquest operations ended, suggesting that the malware change may have been planned.

Researchers noted that the development of custom TrickBot modules in the new campaign is unprecedented and signifies "a close relationship between the members of LUNAR SPIDER and WIZARD SPIDER."

loader gif