Operators of IcedID and TrickBot Join Together to Target Victims

botnet concept illustration with laptop comuputer and text banner on screen with flat style and long shadow
Two Trojans specialized in targeting the financial sector are noticed to be operating in collusion with each other, causing further losses to victims.

This is not very different from a political potboiler—two entities who used to fight each other suddenly start working together for mutual benefit.

The discussion is about two botnets, IcedID and TrickBot, which earlier would block one another while mounting a cyberattack on a system.

Now, they appear to be merrily exploiting the targeted systems together.

It can be presumed that the operators of these Trojans have found a way to maximize their loot and then share it amongst themselves after taking care of the other “facilitators” in the pipeline.

Banking Institutions Their Main Targets

The two botnets, IcedID and TrickBot, are both malware that operate in the financial sector. Banks and other related organizations are usually their targets to attack.

Recently, researchers from Flashpoint examined a banking system that was attacked by IcedID and observed that TrickBot was also getting downloaded on the same system.

This sent the researchers digging deeper, and the only explanation they could name was that there is some kind of collaboration among the operators.

Human Involvement Is Definitive

The inevitable factor in any cyberattack is that there are criminal entities behind creating the malware and planting it on the victims’ systems with the ultimate objective of extracting ransom.

The amounts so looted get deposited in a bank account and are withdrawn by the perpetrator of the attack.

So, if two different hackers target the same victim simultaneously, one can come to the conclusion that they are in collusion and once they have succeeded in stealing the funds there should be a mechanism in place to share the spoils.

History of TrickBot and IcedID

Delving on the two dangerous banking Trojans, it has to be noted that the first to appear on the scene was TrickBot, in 2016.

Its older version is said to be the Dyre banking Trojan. It has the capability to inflict a variety of damages at the victim’s end and there are instances of it using the targeted machines to even perform cryptocurrency mining. ATO operations is another task that the TrickBot Trojan can perform.

IcedID was first traced in 2017. It had a predecessor version called BokBot, and it was the team at IBM’s X-Force Research that took the credit for identifying this botnet.

It has the potential to steal information, particularly passwords within the banks through the use of proxies.

The proxies deliver the tasks for the Trojan as they can make intercepts on the data traffic and use tools, typically called web injects, that perform the data theft.

It is being explained that under this concerted action by the botnet operators, the IcedID trojan is first implanted through a spam email.

Once the target system user downloads the Trojan, it starts acting as the downloader on its own and brings the other bot, TrickBot, into the equation to wreak havoc.

A Labyrinth of a Command and Control Network

Network of blue platforms in the dark with bots on top botnet cybersecurity concept 3D illustration
This is not very different from a political potboiler—two entities who used to fight each other suddenly start working together for mutual benefit.

Researchers have also come up with the details of how the malware is unleashed and then controlled remotely by a web of multiple layers of command centers.

At the helm, there is supposed to be a botmaster, who is comparable to a ringleader or “The Godfather” in a mafia setup.

They would initiate the action to invest in the malware; it can be purchased or created through developers for executing the hacks and subsequent operations.

There are also webmasters and mule handlers who have to be taken care of while executing the operation.

The group of people who run the cyberattack and control it need not be very large, but remain anonymous to each other.

They create their own IDs or nicknames, and may not recognize each other if they were to meet physically.

The group may also recruit domain specialists who are given the responsibility to act within their zone of expertise and deliver the goodies.

They would get paid their share after the funds have been siphoned off to banks in a remote haven where their confidentiality is assured.

Detailed logs are maintained at the botmaster’s end to record the happenings as the cybercrime scheme is being committed.

It is going to be a serious challenge for the system administrators and cybersecurity experts to come up with the solutions to fix these Trojans.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.