Malware Gangs Collaborating to Attack Financial Institutions: IBM X-Force

In what cannot be good news for credit unions and banks, in 2018 financial malware gangs started cooperating with each other to launch attacks against financial service organizations using homegrown tools.

That is one of the revelations of IBM X-Force analysis, “The Business of Organized Cybercrime: Rising Intergang Collaboration in 2018,” authored by Limor Kessem, executive security advisor, IBM. While financial services remained the top target for these gangs, she saw a dramatic shift among the financial malware gangs in last year when they openly shared their operations with others.

“Banking Trojans and the gangs that operate them continue to plague banks, individuals and organizations with fraudulent transactions facilitated by malware and social engineering schemes,” Kessem said in a blog detailing the findings.

Kessem warned, “Banking Trojans have been a burdensome part of the cybercrime threat landscape for more than a decade now. The past five years have shown us that this breed of attackers is only becoming more sophisticated over time, incorporating technical knowledge with advance social engineering to focus schemes on victims that can yield the biggest profits: businesses, cryptocurrency and high-value individuals.”

Previous years saw gangs function as adversaries, inhabit dissimilar territories and even attack each other’s malware, the IBM 2018 research connected the major cybercrime gangs together in explicit collaboration, Kessem noted. “This trend is a negative sign that highlights how botnet operators join forces, revealing the resilience factor in these nefarious operations.”

IBM X-Force also discovered cybercrime gangs launched smaller, more targeted campaigns against the financial institution’s users (hundreds of emails, versus millions in previous campaigns) in 2018 as efficiency became an attacker priority.

“It thus became clearer than ever that the banking Trojan arena is dominated by groups from the same part of the world, by people who know each other and collaborate to orchestrate high-volume wire fraud,” Kessem wrote.

X-Force detailed the motivations and methods used by the top financial malware gangs, presented here in digest form:

TrickBot, a banking Trojan operated by a Russia-based threat group, was one of 2018’s most aggressive Trojans of. It targeted financial institutions across the globe with URL-heavy configurations that often included many targeted bank brands. TrickBot’s operators focus on business banking and high-value accounts held with private banking and wealth management firms. But they also diversified in 2018 to include various e-commerce and cryptocurrency exchange platforms on their target lists. Some of TrickBot’s activity in 2018 included collaboration with another banking Trojan, IcedID, a modular malicious code with modern banking Trojan capabilities (which IBM X-Force discovered in September 2017) as well as operating the Ryuk ransomware, a subset of TrickBot’s botnet monetization strategy.

Gozi (a.k.a. Ursnif), highly active in the wild for more than a decade now, was first discovered in 2007, when it was operated by a closed group of developers and cybercriminals. At the time, it targeted online banking users mostly in English-speaking countries.  Its code was leaked in 2010, giving rise to other Trojans, such as Neverquest, that also dominated the cybercrime charts for years after. It was used in the Gozi-Prinimalka ordeal in 2012 and, in 2013, was fitted with a master boot record rootkit to create high persistence through a computer’s MBR. In 2018, Gozi v2 was the second-most active Trojan in the wild, working across the globe and in Japan.

Ramnit, a prolific banking Trojan active in the wild since 2010. Ramnit started out as a self-replicating worm, leveraging removable drives and network shares to spread to new endpoints. In 2018, the Ramnit Trojan returned to the cybercrime arena with revamped code and a new partner, a proxy malware known as Ngioweb. Ramnit’s 2018 comeback resulted in a reported infection of more than 100,000 devices within the span of two months, as part of an operation code-named “Black.” In this campaign, Ramnit went back to its worm roots and was used as a first-stage infection in a kill chain designed to amass a large proxy botnet for Ngioweb.

“Hacking organizations have been collaborating for years and this has given them an advantage.” John Gunn, chief marketing officer of Chicago-based cybersecurity firm OneSpan, said. He added, however, very soon, financial institutions will be able to collaborate in ways far beyond those used by criminal hacking organizations. “Over the next few years, most FIs will implement anti-fraud platforms with artificial intelligence that will use machine learning-based analyses of massive amounts of shared information from multiple FIs. This will enable the detection of new malware threats and previously hidden attacks in real time, and this will change everything.”