Operators of Trickbot and IcedID Trojans combined efforts and technology

Banking Trojan Trickbot received a module for intercepting the traffic of an infected machine.

Now, the malware is able to inject its own injections into the data transmitted between the website of the financial institution and the client device.

Experts suggest that the expansion of opportunities was the result of cooperation of the authors of the program with developers of another banker – IcedID.

Security expert Brad Duncan discovered previously unknown module while analyzing the payload delivered by Ursnif malware.

The specialist found that the updated version of Trickbot injects the shadnewDll dynamic library into the infected system, which is responsible for changing the web traffic. The malicious component has its own configuration file and is intended for MITB attacks. The module works with Internet browsers Chrome, Firefox, Internet Explorer and Edge.

“The infection chain starts with a malicious Office Word document, which deploys a PowerShell script to download the Ursnif trojan. The host compromised in this way also receives the Trickbot variant with the BokBot/IcedID proxy module that can intercept and modify web traffic”, — said Brad Duncan.

Study of the new module’s code of the revealed numerous coincidences with the source code of BokBot banking Trojan, also known as IcedID. The specialists found out that the malware performs the functions of a local proxy server and is capable of inserting its own scripts into the traffic transmitted to the machine. Thus, attackers are able to display on the screen of the victim fake forms for entering financial details or credentials.

Last year it became known that the operators IcedID and Trickbot began to conduct joint attacks, delivering two malicious programs to the target device at once. Security specialists have concluded that such cooperation is designed to increase the effectiveness of cyber campaigns using the strengths of each program.

Integration of developments at the level of malicious components may indicate a new stage of such cooperation.

However, experts from FireEye, believe that the cooperation of cybercriminals is not limited to this.

“The TrickBot administrator group, which is suspected to be based in Eastern Europe, most likely provide the malware to a limited number of cyber criminal actors to use in operations,” – stated FireEye’s research.

As GanbCrab’s recent experience has shown, such models of combining bad guys in cyberspace can be really dangerous and effective.