Banking Trojans are popular in cybercriminal schemes given the valuable data and financial service credentials they can steal in successful cyberattacks.
Banks find themselves a constant target for relentless attacks against their apps and infrastructure. Their names, too, are abused by threat actors which use them in phishing campaigns and through copycat malicious domains designed to dupe customers into handing over their account credentials.
Banking Trojans are considered one of the top threats to the enterprise today. In 2018 alone, Kaspersky Lab recorded roughly 900,000 financial malware-based attacks against users in 2018 -- an increase of 16 percent in comparison to 767,000 attacks in the previous year.
The names of such malware may be familiar. Zeus, Redaman, BackSwap, Emotet, Gozi, and Ramnit are only some of the Trojan families which have gained prominence in the cybercriminal world, however, the operators of campaigns using banking Trojans are constantly cajoling for space and territory.
At least, this used to be the case. According to IBM's Global Executive Security Advisor Limor Kessem and the IBM X-Force cybersecurity team, the top banking malware operators are now working together to distribute their malware.
On Wednesday, Kessem revealed new research on the cooperative trend, which builds upon the financial malware trends discussed in the latest IBM X-Force Threat Intelligence Index.
Trickbot, Gozi, Ramnit, and IcedID were the most active banking Trojans in 2018, and while other forms of malware have grown in popularity, it is the most active -- and prevalent -- forms of financial malware which are now being spread through cybercriminal partnerships.
The cybersecurity researchers say that the list is "populated by organized cybercrime gangs that have ties to yet other cybercrime gangs, each doing its part to feed the perpetual supply chain of a digital financial crime economy."
"The banking Trojan arena is dominated by groups from the same part of the world and by people who know each other and collaborate to continue orchestrating high-volume wire fraud," Kessem added.
Trickbot is one of the major players in the financial Trojan space. The Russian cybercriminals behind the malware, who target banks and wealth firms managing high-value accounts, have recently diversified into ransomware as part of a wider botnet strategy and are now working with gang members from IcedID.
First discovered in 2017, IcedID uses web injection attacks to compromise online payment portals and also indulges in the typical bait-and-switch method for redirecting banking customers to malicious domains.
Three months later, it became clear that IcedID had also received a number of upgrades to perform more like TrickBot, including the reduction in the size of its binary file and plugins being fetched and loaded on demand, rather than being an intrinsic part of the Trojan's modules.
"Although malware authors do sometimes copy from one another, our research indicates these modifications were not coincidental," IBM says. "Even if we only looked at the fact that TrickBot and IcedID fetch one another into infected devices, that would be indication enough that these Trojans are operated by teams that work together."
IBM also speculates that a vague partnership between the two groups may have begun years ago, and potentially during the years when Dyre and Neverquest malware samples were making the rounds pre-2015. Trickbot is considered the protege of Dyre, whilst Neverquest vanished following the arrest of a member of the group behind it. IcedID came onto the scene soon after.
Gozi, too, is another key player in the banking malware industry and has been active for over a decade. First spotted in 2007, Gozi is constantly evolving and the leak of its source code in 2010 gave rise to a number of Trojans that are active today.
The malware is now in two major forms, v.2, and v.3, of which the former variant targets global players and the latter focuses on banks in Australia and New Zealand through macro-based malicious attachments sent via phishing campaigns.
In some countries, such as Japan, the operators of Gozi are collaborating with URLZone. This form of malware specializes in process hollowing and disguises itself as legitimate computing processes to lurk undetected on a victim's machine.
In a 2018 campaign, URLZone dropped both the Cutwail botnet and Gozi, which together are able to enslave devices, create persistent backdoors, and steal data.
The operators of Ramnit, too, appear to find value in collaboration. Active since 2010, Ramnit started out using worm-like techniques to infect PCs, networks, and removable drives before evolving into a modular banking Trojan which is now spread through exploit kids including Angler and RIG.
Ramnit tends to focus on victims in the UK, Canada, and Japan, and in 2018, re-emerged after a law enforcement botnet takedown with a new partner in tow: Ngioweb, a multifunctional proxy server which uses multiple layers of encryption.
A 2018 campaign between the pair was able to infect approximately 100,000 devices in only two months. During the scheme, Ramnit went back to its worm-like roots and acted as a first-stage infection platform to create a proxy botnet for Ngioweb.
IBM believes this partnership -- albeit a short-lived one -- was designed in the hopes of creating a botnet of a size comparable to the old Gameover Zeus botnet.
"While previous years saw gangs operate as adversaries, occupying different turfs, or even attack one another's malware, 2018 connects the major cybercrime gangs together in explicit collaboration," IBM says. "This trend is a negative sign to the joining of forces between botnet operators, revealing the resilience factor in these nefarious operations over time."