CrowdStrike researchers recently uncovered evidence of increased collaboration between two sophisticated cybercrime groups, which could spell trouble for enterprises and security vendors.
Earlier this month, CrowdStrike researchers observed the distribution of a new proxy module of the TrickBot malware that contains identical functionality to BokBot’s proxy module. Lunar Spider is an Eastern European-based threat group that operates the BokBot, or IcedID, commodity banking malware. The malware was first observed in 2017. Wizard Spider is the Russia-based operator of the banking Trojan TrickBot, which was discovered in 2016.
The new TrickBot proxy module, dubbed shadDll, incorporates many of the most powerful BokBot features, researchers shared in a blog post. The new TrickBot module is particularly noteworthy, because 81% of its code is derived from the BokBot proxy module, said Brett Stone-Gross, threat researcher at CrowdStrike, based in Sunnyvale, Calif.
“Our latest findings show that there is a strong partnership between two of the most prolific eCrime groups that have historically targeted customers of the retail and financial sectors,” Stone-Gross said in an email interview. “These [cybercrime] groups — Wizard Spider and Lunar Spider — are sharing code and tools to steal sensitive information and to facilitate illicit wire transfers. This collaboration may lead to an increase in fraudulent activities and more successful attempts as these groups pool their knowledge and resources.”
Criminal groups have typically been very competitive with each other, Stone-Gross said. In the past, it was common for a criminal group to attack another group with slander, distributed denial-of-service attacks and implement features to remove a rival group’s malware from a victim’s system, he added.
“This recent collaboration signifies that Wizard Spider and Lunar Spider are working very close together and even share their own code, which goes well beyond any relationship that has been previously observed between top-tier criminal groups,” Stone-Gross said.
CrowdStrike Intelligence first observed campaigns involving both TrickBot and BokBot in July 2017, where victim machines infected with BokBot issued a command to download and execute a TrickBot payload. In February, CrowdStrike observed a new campaign from a Lunar Spider affiliate to distribute Wizard Spider’s TrickBot malware, signaling a deeper collaboration between the two cybercrime groups.
Stone-Gross said he believes the collaboration between cybercrime groups allows them to combine their skills and experience, which allows them to improve their techniques to bypass security software and antifraud systems.
Brett Stone-GrossThreat researcher at CrowdStrike
The new TrickBot module is designed to perform man-in-the-middle (MitM) attacks against web browsers on infected hosts, researchers said, which is achieved by hooking networking functions and installing illegitimate SSL certificates.
Once the malware successfully intercepts SSL traffic, it can use various BokBot configuration entries to conduct nefarious activities, like redirect web traffic and inject malicious code, researchers explained.
“This new module is very complex and provides the group with the ability to monitor and manipulate a victim’s web browser to capture sensitive information that can assist in fraudulent activities,” Stone-Gross said.
To perform a MitM attack on SSL connections, the proxy server needs to generate an SSL certificate and insert it into the certificate store, CrowdStrike explained in a follow-up blog post detailing how the BokBot proxy module works.
Adam Kujawa, director of Malwarebytes Labs, said his company has observed an increase in TrickBot activity recently and noted the malware often uses common exploit kits in enterprise software. Malwarebytes’ 2019 State of Malware report called TrickBot one of “2018’s worst nightmares,” along with Emotet, another banking Trojan that has evolved recently.