Evidence Found of Malware Families Collaborating

IBMs X-Force has found that intertwined relationships exist between the Trickbot, Gozi, Ramnit and IcedID malware families – and that spells trouble.

Trojans that target banks have one of the longest-lasting and profitable cybercrime operations around.
But Limor Kessem, global executive security advisor at IBM Security, has written a
blog post
that shines a light on one of the most underappreciated aspects of these efforts. IBMs X-Force has found that intertwined relationships exist between the Trickbot, Gozi, Ramnit and IcedID malware families, including measures the gangs employ to avoid stepping on each others turf. Indeed, the various malwares are seemingly being used in tandem.
The post muses that, the banking Trojan arena is dominated by groups from the same part of the world and by people who know each other and collaborate to continue orchestrating high volume wire fraud. X-Force found that the Trickbot, Gozi, Ramnit, IcedID and Zeus Panda families of bank Trojans each had about 12% of the overall action in 2018 that could be attributed to them.
Trickbot had a slightly higher piece of the pie (13%) and targets banks across the globe with URL-heavy configurations. This Trojan focuses on business banking and high-value accounts that are held with private banking and wealth management firms, but it will also go after e-commerce and cryptocurrency exchanges.
Kessem points out that in 2018 X-Force found strong collaboration evidenced between TrickBot and another banking Trojan, IcedID. About eight months into IcedIDs existence (it was first found in November 2017), signs of a link between the two became apparent. IcedID was now being dropped by TrickBot. Before this, it was mainly dropped by the Emotet Trojan.
There were also other indicators of collaboration. In August 2018, IcedID was upgraded to resemble how TrickBot was being deployed. This new stealthy and modular approach made IcedID more like TrickBot in how it operated.
As Kessem put it, The binary file was modified to become smaller and no longer featured embedded modules. The malwares plugins were being fetched and loaded on demand after the Trojan was installed on infected devices.
In another TrickBot similarity, IcedID began to encrypt its binary file content by obfuscating file names associated with its deployment on the endpoint.
The two Trojans may have actually had their cooperation rooted in the past. Its known that the Neverquest (also known as Catch or Vawtrak) Trojan used to collaborate with the Dyre group to deliver Dyre to devices already infected with Neverquest.
Even though the original Trojan operator gangs were disbanded years ago, the relationships that were established then may have endured. There are other collaborations about. In Japan, the Gozi Trojan is said by X-Force to collaborate with operators of the URLZone Trojan. URLZone used to be known to only target banks in Europe. It has started collaborating with Gozi by helping it into target devices and then allowing Gozi to do the data stealing and other bank fraud functions.
While previous years saw gangs operate as adversaries, occupying different turfs, or even attack one anothers malware, X-Force in 2018 connected the major cybercrime gangs together in collaboration. Such a joining of forces can only spell trouble for Trojan targets.
— Larry Loeb has written for many of the last centurys major dead tree computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Evidence Found of Malware Families Collaborating