They are dropping malware at the core of the cybercrime ecosystem
Botnets have been around for years, but their purpose has changed over time based on what makes the most money for cybercriminals. Sometimes, very large botnets are used to hijack email addresses and address books to send spam. Sometimes they send Trojans capable of stealing banking information online during browser sessions, and sometimes botnets are used to launch DDoS attacks as a service.
Some of that specialization still exists, but today some of the largest botnets are used as platforms to distribute malware on behalf of the cybercriminal ecosystem. Ransomware has been a very profitable cyber crime activity for many years, and ransomware gangs are always looking for first access to new victim networks, something malware droppers specialize in.
Malware interceptors are often distributed through many phishing campaigns. Their managers cast a wide net and target victims based on how valuable they might be to their cybercriminal clients. One of the suspects investigated in Operation Endgame earned more than 69 million euros in cryptocurrency by providing the infrastructure to run the ransomware, Europol said.
TrickBot or TrickLoader, which was targeted for this project, is one of the longest-lived bots on the Internet and has survived many takedown attempts. TrickBot started out as a Trojan program focused on stealing online banking information, but its general design allowed it to become one of the main delivery vehicles for other malware.
The operators of TrickBot had a strong business relationship with the famous Ryuk group, whose ransomware for a long time was distributed almost exclusively through a botnet. The creators of TrickBot added functions that appear to cater to APT clans and were also behind another malware dropper called BazarLoader.
Similar to TrickBot, IcedID first appeared in 2017 and was originally a banking Trojan designed to inject malicious content into local banking sessions – an attack known as webinject. Since then it has also grown into a malware distribution platform used by many cybercriminal groups, including early access brokers working for ransomware gangs.
Source link