Banking malware vendors used to compete for victims by seeking out and deleting the competitor’s malware if it was found to be already installed on the victim’s system. However, now the groups behind IcedID and Trickbot malware which is the latest version of the “Dyre” banking malware are playing nice with each other, says Flashpoint.
Malware creators are collaborating and developing the software in such a way that will allow them to share profits from a successful attack on the victim. Researchers first spotted the IcedID malware in November 2017.
Flashpoint says it has evidence suggesting the operators of the Trickbot and IcedID botnets have gotten into some kind of a profit-sharing arrangement in which they are using each other’s malware and infrastructure to cash out victim bank accounts.
A team from IBM’s X-Force Research have published a report claiming to have spotted a new banking malware spreading via spam campaigns. The computers that are compromised will have been infected with an Emotet downloader which will then grab the IcedID from the attackers’ domain.
Such partnerships are extremely rare in the cybercrime world where rival groups are more likely to rip each other’s malware out of victim systems than collaborate on a malicious campaign. For enterprises, the trend could spell new trouble.
Most of the researchers thought that Emotet was compromised by the operators of the “Dridex’ banking trojan. IcedID is used to maintain persistence within the infected machines.
“This collaboration indicates that sophisticated botnet malware operators will … team up to defeat anti-fraud measures in place when [a] reasonable profit-sharing agreement can be reached amongst various groups,” says Vitali Kremez, director of research at Flashpoint.
IcedID and TrickBot use token grabbers, redirection attacks and web injections to steal banking credentials when a user logs into their bank account. The malware attempts to become deeply integrated into the victim’s system trying to ensure it becomes near impossible to remove.