Close
Josh Lefkowitz
Chief Executive Officer
Josh Lefkowitz executes the company’s strategic vision to empower organizations with Business Risk Intelligence (BRI). He has worked extensively with authorities to track and analyze terrorist groups. Mr. Lefkowitz also served as a consultant to the FBI’s senior management team and worked for a top tier, global investment bank. Mr. Lefkowitz holds an MBA from Harvard University and a BA from Williams College.
Evan Kohlmann
Chief Innovation Officer
Evan Kohlmann focuses on product innovation at Flashpoint where he leverages fifteen years’ experience tracking Al-Qaida, ISIS, and other terrorist groups. He has consulted for the US Department of Defense, the US Department of Justice, the Australian Federal Police, and Scotland Yard’s Counter Terrorism Command, among others. Mr. Kohlmann holds a JD from the Univ. of Pennsylvania Law School and a BSFS in International Politics from the Walsh School of Foreign Service at Georgetown Univ.
Josh Devon
Chief Operating Officer / VP Product
Josh Devon focuses on product vision and strategy at Flashpoint while ensuring the company’s departments function synergistically during its rapid growth. He also works to ensure that customers receive best in class products, services, and support. Previously, Mr. Devon co-founded the SITE Intelligence Group where he served as Assistant Director. He holds an MA from SAIS at Johns Hopkins Univ. At the Univ. of Pennsylvania, he received a BS in Economics from the Wharton School and a BA in English from the College of Arts and Sciences.
Jennifer Leggio
Chief Marketing Officer / VP Operations
Jennifer Leggio is responsible for Flashpoint’s marketing, customer acquisition, and operations. Ms. Leggio has more than 20 years of experience driving marketing, communications and go-to-market strategies in the cybersecurity industry. She’s previously held senior leadership roles at Digital Shadows, Cisco, Sourcefire, and Fortinet. She’s been a contributor to Forbes and ZDNet, and has spoken on the importance of coordinated disclosure at DEF CON and Hack in the Box, and on threat actor “publicity” trends at RSA Conference, Gartner Security Summit, and SXSW Interactive.
Chris Camacho
Chief Strategy Officer
Chris Camacho leads the company’s client engagement and development team, which includes customer success, business development, strategic integrations and the FPCollab sharing community. With over 15 years of cybersecurity leadership experience, he has spearheaded initiatives across Operational Strategy, Incident Response, Threat Management, and Security Operations to ensure cyber risk postures align with business goals. Most recently as a Senior Vice President of Information Security at Bank of America, Mr. Camacho was responsible for overseeing the Threat Management Program. An entrepreneur, Mr. Camacho also serves as CEO for NinjaJobs: a career-matching community for elite cybersecurity talent. He has a BS in Decision Sciences & Management of Information Systems from George Mason University.
Lisa Iadanza
Chief People Officer
Lisa M. Iadanza leads all functional areas of People Operations at Flashpoint, including human resources, talent acquisition & management, employee engagement, and developing high performance teams. In addition to collaborating with the executive team to drive strategic growth, she plays an integral role in fostering Flashpoint’s culture and mission. Driven by her passions for mentorship, employee advocacy, and talent development, Ms. Iadanza has more than twenty years of experience in building, scaling, and leading human resources functions. Prior to Flashpoint, she held leadership roles at Conde Nast, Terra Technology, and FreeWheel. She is a member of the Society for Human Resources Management (SHRM) and holds a bachelor’s degree in management with concentrations in human resources and marketing from State University of New York at Binghamton.
Rob Reznick
VP of Finance and Corporate Development
Rob Reznick leads the finance, accounting, and corporate development teams at Flashpoint. Rob previously served as Director of Finance & Accounting for 1010data (acquired by Advance/Newhouse), and Director of Finance for Financial Guard (acquired by Legg Mason) after prior work in forensic accounting and dispute consulting. Mr. Reznick is a Certified Public Accountant and holds an MBA and MAcc from the Fisher College of Business at the Ohio State University, and a BBA from the Ross School of Business at the University of Michigan.
Lance James
Chief Scientist / VP Engineering
Lance James is responsible for leading Flashpoint’s technology development. Prior to joining Flashpoint in 2015, he was the Head of Cyber Intelligence at Deloitte & Touche LLP. Mr. James has been an active member of the security community for over 20 years and enjoys working creatively together with technology teams to design and develop impactful solutions that disrupt online threats.
Brian Costello
SVP Global Sales and Solution Architecture
Brian Costello, a 20-year information technology and security solutions veteran, is responsible for leading the Global Sales, Solution Architecture, and Professional Services teams at Flashpoint. Throughout his career, Brian has successfully built security and cloud teams that have provided customers with innovative technology solutions, exceeded targets and consistently grown business year over year. Prior to Flashpoint, Brian led a global security and cloud vertical practice for Verizon. Brian also held senior leadership roles at Invincea, Risk Analytics and Cybertrust. Brian received his B.A. from George Mason University.
Tom Hofmann
VP Intelligence
Tom Hofmann leads the intelligence directorate that is responsible for the collection, analysis, production, and dissemination of Deep and Dark Web data. He works closely with clients to prioritize their intelligence requirements and ensures internal Flashpoint operations are aligned to those needs. Mr. Hofmann has been at the forefront of cyber intelligence operations in the commercial, government, and military sectors, and is renowned for his ability to drive effective intelligence operations to support offensive and defensive network operations.
Jake Wells
VP, Client Engagement & Development
Jake Wells leads strategic integrations and information sharing as part of the client engagement & development team, which serves as an internal advocate for our government and commercial clients to ensure Flashpoint’s intelligence solutions meet their evolving needs. He leverages a decade of experience running cyber and counterterrorism investigations, most recently with the NYPD Intelligence Bureau, to maximize the value customers generate from our products and services. Mr. Wells holds an MA from Columbia University and a BA from Emory University.
Brian Brown
VP Business Development
Brian Brown is responsible for the overall direction of strategic sales and development supporting Flashpoint’s largest clients. In his role, Mr. Brown focuses on designing and executing growth-oriented sales penetration strategies across multiple vertical markets, including both Government and Commercial, supporting Flashpoint’s Sales and Business Development Teams. An experienced entrepreneur, Mr. Brown also serves as CSO for NinjaJobs, a private community created to match elite cybersecurity talent with top tier global jobs and also advise growth-stage cybersecurity companies.
image/svg+xml image/svg+xml
Meet us at Infosec Europe 04-06 June 2019. Learn More

Trickbot and IcedID Botnet Operators Collaborate to Increase Impact

Blog
May 30, 2018

Different banking malware operations previously competed for victims, often seeking out and uninstalling one another upon compromising machines; for example, the SpyEye malware would uninstall Zeus upon infection. Now, in what may indicate a shift toward more collaboration among cybercrime groups, the operators of the IcedID and TrickBot banking Trojans appear to have partnered and are likely sharing profits, based on operation details.

The clincher came when analysts at Flashpoint recently examined samples that indicate computers infected with IcedID are also downloading Trickbot, a prolific piece of malware considered to be the successor to the Dyre banking Trojan.

Researchers first spotted IcedID in November 2017; IBM’s X-Force research team published a report claiming to have spotted this new banking malware spreading via massive spam campaigns. Compromised computers were first infected with the Emotet downloader, which then grabbed IcedID from the attacker’s domain; the Russian-speaking cybercriminals behind Emotet are believed to be comprised of some of the operators of the Dridex banking Trojan. IcedID is able to maintain persistence on infected machines, and it has targeted companies mainly in the financial services, retail, and technology sectors.

Image 1: The typical fraud ecosystem that involves IcedID/TrickBot cash-outs
Image 1: The typical fraud ecosystem that involves IcedID/TrickBot cash-outs

It appears that attackers now send IcedID directly as spam, and that piece of malware acts as a downloader that installs TrickBot, which in turn installs other modules on victims’ machines.

While it is typically unusual to find two different malware families infecting the same machine, Flashpoint analysts have determined through source intelligence with knowledge of both parties’ operations that there are indications of extensive collaboration between these two fraud operators. Human fraudsters are central to this cybercrime model; the TrickBot operators, for example, leverage automated attacks and knowledgeable fraud operators who review compromised data from victims’ machines and can carry out real-time account takeover (ATO) operations.

Trickbot and IcedID Fraud Master Collaboration: Monetization Funnel

Even the most sophisticated cybercriminal organization cannot reap financial rewards without the human resources required to cash out victims’ bank accounts. Cybercriminals’ ability to profit from the products and services involved in financial fraud rests on the availability of fraud masters, money mules, and related services.

The TrickBot and IcedID collaboration gives this pairing significant capabilities. First, the attacks are complex; while the malware’s main capabilities are its use of token grabbers, redirection attacks, and webinjects to steal banking credentials, there are other modules at the operators’ disposal that allow them to have deep coverage of a victim’s machine and expand the breadth and scope of an attack, thereby allowing them to derive additional potential sources of profit from a successful compromise.

Key to this complete coverage is the ability to carry out account checking, or credential stuffing, in order to determine the value of a victim’s machine and their access. Attackers can leverage higher value targets for network penetration, for example, while attackers can use other compromised targets for cryptocurrency mining.

IcedID has been in the wild since April 2017 and was originally known as BokBot; this malware is exclusively a threat to Windows. Emotet was associated with this malware, and operators used it mainly as a loader and to maintain persistence in order to install and execute additional malware, including a virtual network computing (VNC) module for remote management and an antimalware bypass module. IcedID creates proxies that are used to steal credentials for a host of websites that are mainly in financial services, though some sites also correspond to the retail and technology sector. The local proxy intercepts traffic and uses a webinject that steals login data from the victim.

Image 2: The IcedID banker includes an extensive token grabber module with the alphabetical parameters.
Image 2: The IcedID banker includes an extensive token grabber module with the alphabetical parameters.

TrickBot targets victims in a wide swathe of industries by leveraging multiple modules, including leaked exploits, and targets victims for various malicious activities, such as cryptocurrency mining and ATO operations.

Central Command

Linguistic analysis and an investigation into TrickBot and IcedID botnet operations reveals that the campaign involving a botnet belongs to a small group that commissions or buys the banking malware, manages the flow of infections, makes payments to the project’s affiliates (traffic herders, webmasters, mule handlers), and receives the laundered proceeds. Flashpoint assesses with high confidence that a head of operations likely oversees a complex network of actors who likely know each other only by aliases even after years of working together. Each segment of the ecosystem, the so-called affiliates, are specialists within their respective domains. While they are delivering value to the botnet owner, they act independently, employing their own closed networks to accomplish assigned tasks. The organizational complexity of these projects, along with the stringent security practices exercised by everyone throughout the supply chain, poses a significant challenge to investigations.

Role of Botmaster in Cybercrime Operations

The responsibility to monitor the botnet, or the sum total of all victims’ online activities, falls on the TrickBot and IcedID botmaster. A bot’s activity is recorded in the command-and-control (C2) database according to the parameters specified in the control panel’s preferences. The botmaster also accepts XMPP or Jabber notifications via the “jabber_on” field in the backend when the victims log in to the banking page of interest. The botmaster then provides a message for the fraud masters once the login is recorded. The message reads, “Try to log in with: Login <login> AND passcode: <password> at this url: <bank_login_url.”

The botmaster may elect to receive notifications when a victim accesses only certain online banking applications. If, for example, the project is built around European or US financial institutions (possibly because that is where the syndicate’s money laundering capabilities are focused), they would receive Jabber notifications based on their geographical cash out preference.

The botmaster decodes the logs and parses them for the needed content. Exported logs may contain tens of millions of lines of data, so a botmaster will likely employ a parsing application to extract the relevant data. Advanced banking Trojans such as Citadel have a built-in log parser. Once information consisting of the victim’s login credentials, answers to the secret questions, and email address is extracted from the logs, it is passed on to an affiliate who manages real-world operations.

Geographical disparity presents an obstacle in monetizing access, though this issue is typically solved through the use of money mule (or drop) services. Mules open bank accounts in the geographic location of the victim and at the same financial institution. They receive fraudulent account clearing house (ACH) and wire transfers into their account and forward the proceeds to the botnet owner or the intermediary. Higher up the chain, mule handlers direct mule recruiting and money laundering activities at a range of locations and financial institutions; many mule handlers advertise their services on the cybercrime forums.

Image 3: The IcedID banking grabber request reveals a detailed URL pattern with the data submission and exfiltration to the inject server.
Image 3: The IcedID banking grabber request reveals a detailed URL pattern with the data submission and exfiltration to the inject server.

Based on the close collaboration between TrickBot and IcedID operators and their shared backend infrastructure, it is likely that the operators will likely continue to closely collaborate on cashing out stolen accounts.

Such collaboration may also signal that fraud masters and malware developers are continuing to foster collaborative fraud operations targeting corporations in an attempt to bypass the latest anti-fraud measures.

Image 4: The IcedID/TrickBot operators rely on detailed inject messages from victim machines for ATO fraud.
Image 4: The IcedID/TrickBot operators rely on detailed inject messages from victim machines for ATO fraud.

Attachments and Downloads

To download the Indicators of Compromise (IOCs) for TrickBot and IcedID, click here.

To download the Snort rule, click here.

avatar

Vitali Kremez

Director of Research

Vitali Kremez is a Director of Research at Flashpoint. He oversees analyst collection efforts and leads a technical team that specializes in researching and investigating complex cyber attacks, network intrusions, data breaches, and hacking incidents. Vitali is a strong believer in responsible disclosure and has helped enterprises and government agencies deliver indictments of many high-profile investigations involving data breaches, network intrusions, ransomware, computer hacking, intellectual property theft, credit card fraud, money laundering, and identity theft. Previously, Vitali enjoyed a rewarding career as a Cybercrime Investigative Analyst for the New York County District Attorney’s Office.
He has earned the majority of certifications available in the information technology, information security, digital forensics, and fraud intelligence fields. A renowned expert, speaker, blogger, and columnist, Vitali has contributed articles to Dark Reading, BusinessReview, and Infosecurity Magazine and is a frequent commentator on cybercrime, hacking incidents, policy, and security.

Flashpoint Intelligence Brief

Subscribe to our newsletter to stay up-to-date on our latest research, news, and events