IBM: Intergang Cybercrime Collaboration on the Rise
IBM just released its report on organized cybercrime which found intergang collaborations on the rise last year. Several top banking malware gangs now are working together to distribute and profit from malware, including banking trojans and ransomware. The collaborations give the gangs further advantage in agility and speed. They also appear more confident. Some are bold enough to operate openly.
“In 2018, I must admit I was finally surprised when two malware gangs that did not appear connected at first began openly collaborating. It thus became clearer than ever that the banking Trojan arena is dominated by groups from the same part of the world, by people who know each other and collaborate to orchestrate high-volume wire fraud,” she wrote in an IBM blog about the report.
The report identifies the top malware on its gang-owned Trojan chart as Trickbot, Gozi, Ramnit, IcedID, Zeua Panda, Dridex, Zeus Sphinx, Gootkit, Qakbot, and TinyNuke.
Trickbot, a Russian gang-owned banking Trojan, was one of the most aggressive last year. Although the threat group is highly successful and has ample resources, it teamed with another banking Trojan, IcedID, and Ryuk ransomware, a subset of Trickbot.
“These highlight a larger trend of intergang collaboration among Trojan operators striving to generate larger profits in spite of growing security control sophistication,” wrote Kessem.
“Although malware authors do sometimes copy from one another, our research indicates these modifications were not coincidental. Even if we only looked at the fact that TrickBot and IcedID fetch one another into infected devices, that would be indication enough that these Trojans are operated by teams that work together.”
Operators of banking Trojans and ransomware are using increasingly sophisticated and advanced social engineering, and now collaboration with old rivals — perhaps we can think of it as “gang-sourcing,” to stay ahead of security tools and law enforcement.
“While previous years saw gangs operate as adversaries, occupy different turfs and even attack each other’s malware, our research from 2018 connected the major cybercrime gangs together in explicit collaboration. This trend is a negative sign that highlights how botnet operators join forces, revealing the resilience factor in these nefarious operations,” says Kessem.