IcedID and Trickbot botnet operators band together to target victims and share the profit

Security researchers have discovered the botnet operators behind the infamous banking trojans IcedID and TrickBot are now collaborating to target victims together and share the spoils. According to Flashpoint researchers, recently analyzed samples revealed that computers infected with the IcedID malware also seemed to be downloading Trickbot - considered to be the successor to the prolific banking Trojan Dyre - as well.

"It appears that attackers now send IcedID directly as spam, and that piece of malware acts as a downloader that installs TrickBot, which in turn installs other modules on victims’ machines," researchers said in a blog post. "While it is typically unusual to find two different malware families infecting the same machine, Flashpoint analysts have determined through source intelligence with knowledge of both parties’ operations that there are indications of extensive collaboration between these two fraud operators.

"Human fraudsters are central to this cybercrime model; the TrickBot operators, for example, leverage automated attacks and knowledgeable fraud operators who review compromised data from victims’ machines and can carry out real-time account takeover (ATO) operations."

This unique collaboration between TrickBot and IcedID gives the pairing significant capabilities, researchers said.

"First, the attacks are complex; while the malware’s main capabilities are its use of token grabbers, redirection attacks, and webinjects to steal banking credentials, there are other modules at the operators’ disposal that allow them to have deep coverage of a victim’s machine and expand the breadth and scope of an attack, thereby allowing them to derive additional potential sources of profit from a successful compromise," Flashpoint notes.

This combined operation also has the ability to carry out account checking or credential stuffing, enabling the attackers to determine the value of a victim's machine and their access. The attackers can then assess and leverage higher-value targets for network penetration while using lower-rung victim systems for cryptocurrency mining.

"Linguistic analysis and an investigation into TrickBot and IcedID botnet operations reveals that the campaign involving a botnet belongs to a small group that commissions or buys the banking malware, manages the flow of infections, makes payments to the project’s affiliates (traffic herders, webmasters, mule handlers), and receives the laundered proceeds," researchers explain.

Flashpoint has assessed with "high confidence" that a head of operations is likely overseeing this complex network of actors within which they only know each other by aliases, despite working together for years. Affiliates within this ecosystem are specialists within their own domains, each of which deliver value to the botnet owner. However, they each act independently and leverage their own set of closed networks to accomplish a task.

Meanwhile, the TrickBot and IcedID botmaster is responsible for monitoring the botnet and its subsequent hold on its victim's online activities.

"The organizational complexity of these projects, along with the stringent security practices exercised by everyone throughout the supply chain, poses a significant challenge to investigations," researchers said. "Based on the close collaboration between TrickBot and IcedID operators and their shared backend infrastructure, it is likely that the operators will likely continue to closely collaborate on cashing out stolen accounts."

The extent of the attacks and amount of money stolen through this collaborated effort is still unclear. However, Flashpoint notes that this pairing up does signal that "fraud masters and malware developers are continuing to foster collaborative fraud operations targeting corporations in an attempt to bypass the latest anti-fraud measures."