Banking malware vendors used to compete for victims by seeking out and deleting the competitor’s malware if it was found to be already installed on the victim’s system.
Now the trend is shifting and such Malware creators are collaborating and developing the software in such a way that will allow them to share profits from a successful attack on the victim. The systems that are infected with IcedID are downloading the TrickBot malware which is the latest version of the “Dyre” banking malware. Researchers first spotted the IcedID malware in November 2017.
A team from IBM’s X-Force Research have published a report claiming to have spotted a new banking malware spreading via spam campaigns. The computers that are compromised will have been infected with an Emotet downloader which will then grab the IcedID from the attackers’ domain.
Most of the researchers thought that Emotet was compromised by the operators of the “Dridex’ banking trojan. IcedID is used to maintain persistence within the infected machines, most of the companies targeted by the malware are banking systems.
IcedID and TrickBot use token grabbers, redirection attacks and web injections to steal banking credentials when a user logs into their bank account. The malware attempts to become deeply integrated into the victim’s system trying to ensure it becomes near impossible to remove.
IcedID has been in the wild for the past year (since April 2017) and was previously known as BokBot, the malware targets Windows exclusively, and is also associates itself with VNC computing modules for remote management and anti-malware bypass modules.
Will such providers banding together be a more prevalent in future, let us know your thoughts.