Maxim_Kazmin - Fotolia
The IcedID and TrickBot banking Trojans have apparently combined to create a dual threat that targets victims for cash. How did these two banking Trojans join forces? How do the actions of these Trojans compare to how they acted before they combined?
One of the most difficult aspects of an attack is monetizing access to a system, as the security controls on financial transactions are tight. These controls make it difficult to electronically transfer money without using traditional financial networks -- which is one reason why ransomware attacks use cryptocurrency for payments. The riskiest part of a financial attack is performed by the money mule who withdraws stolen cash from a bank account and transfers it to the handler.
Because the financial aspects are usually just one part of an attack, attackers tend to carefully segment their operations into distinct components to help prevent them from being identified; this creates a more resilient criminal enterprise. The different attack components include segments for both technical and financial aspects in which different groups might handle different parts of the overall attack. Each part needs to be successful or the attacker's financial fraud won't be successful.
In a recent blog post, Vitali Kremez, director of research at Flashpoint, discussed how the IcedID and TrickBot banking Trojans seem to have combined to create a more effective attack. The attack takes place when IcedID is spammed to victims and opened and TrickBot is downloaded.
Once TrickBot is on the system, its several modules enable it to gather data about the endpoint in order to determine what kind of financial fraud it should use. This next step is determined by the attack coordinator with the information from TrickBot. In previous IcedID attacks, the Emotet banking Trojan was used, but it has since been replaced by the TrickBot collaboration.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Sophos researchers believe the SamSam ransomware campaign could be the work of one or a few threat actors using manual techniques. Learn how it works... Continue Reading
The hacking group Magecart was recently found to have run a card skimming campaign that put customer information at risk. Learn how this attack ... Continue Reading
A new version of GandCrab was discovered by researchers in July 2018 and involves the use of legacy systems. Learn how this version differs and who ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.